mirror of
https://github.com/s3fs-fuse/s3fs-fuse.git
synced 2026-04-25 13:26:00 +03:00
[GH-ISSUE #2641] Non-aws password file with plaintext aksk has security risks #1260
Labels
No labels
bug
bug
dataloss
duplicate
enhancement
feature request
help wanted
invalid
need info
performance
pull-request
question
question
testing
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/s3fs-fuse#1260
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @hbao0915 on GitHub (Feb 8, 2025).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/2641
Feature request
S3fs requires plaintext Access Key (AK) and Secret Key (SK) without any encryption in the passwd_file option, which may causes security risks such as AKSK leaking. In addition, even if I try to rotate the credential using temporary security credentials, s3fs process needs to be restarted in order to load the new credential(mentioned in #1290 ).
So could you please provide any mechanism to encrypt the plaintext password file?
@gaul commented on GitHub (Feb 8, 2025):
What does the AWS CLI do? s3fs will follow this.
@hbao0915 commented on GitHub (Feb 8, 2025):
So is there any plan to reinforce the non-AWS-CLI method, like encrypting the aksk on the disk and decrypting it while reading.
@gaul commented on GitHub (Feb 8, 2025):
No.
@ggtakec commented on GitHub (Feb 9, 2025):
If it is absolutely necessary, and you have sufficient knowledge, you can create your own DSO(library) and specify it in the
credliboption.Although it is not very helpful, an example of a DSO implementation (I/F, etc.) to specify in
credlibcan be found at https://github.com/ggtakec/s3fs-fuse-awscred-lib.