[GH-ISSUE #270] Support for KMS #138

New issue

Closed

opened 2026-03-04 01:42:31 +03:00 by kerem · 2 comments

kerem commented

2026-03-04 01:42:31 +03:00

Owner

Originally created by @jpeacock-mypoints on GitHub (Sep 17, 2015).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/270

Does S3FS support AWS-KMS keys? I don't see a way to implement those.

Originally created by @jpeacock-mypoints on GitHub (Sep 17, 2015). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/270 Does S3FS support AWS-KMS keys? I don't see a way to implement those.

kerem

2026-03-04 01:42:31 +03:00

closed this issue
added the
enhancement
label

kerem commented

2026-03-04 01:42:32 +03:00

Author

Owner

@ggtakec commented on GitHub (Oct 6, 2015):

@jpeacock-mypoints
I merged new codes for this issue(support for SSE-KMS) - #278
And modified use_sse option for this change.
After this change, s3fs supported No-SSE(SSE disable), SSE-S3, SSE-C(custom key using), and SSE-KMS(AWS Key Management Id).

Please try to use and check latest code on master branch.
Thanks in advance for your help.

About use_sse option:

not specify use_sse option
default is SSE-DISABLE
"use_sse" or "use_sse=1"(old type parameter)
uses Amazon S3-managed encryption keys
"use_sse=custom:'filepath'" or "use_sse='filepath'"(old type parameter)
uses customer-provided encryption keys.
The custom key file must be 600 permission.
The file can have some lines, each line is one SSE-C key.
The first line in file is used as Customer-Provided Encryption Keys for uploading and changing headers etc.
If there are some keys after first line, those are used downloading object which are encrypted by not first key.
So that, you can keep all SSE-C keys in file, that is SSE-C key history.
"use_sse=custom"
If you specify "custom"("c") without file path, you need to set custom key by load_sse_c option or AWSSSECKEYS environment.
(AWSSSECKEYS environment has some SSE-C keys with ":" separator.)
This option is used to decide the SSE type.
So that if you do not want to encrypt a object object at uploading, but you need to decrypt encrypted object at downloaing, you can use load_sse_c option instead of this option.
"use_sse=kmsid" or "use_sse=kmsid:'kms id'"
uses the master key which you manage in AWS KMS.
You can use "k" for short "kmsid".
If you san specify SSE-KMS type with your 'kms id' in AWS KMS, you can set it after "kmsid:"(or "k:").
If you specify only "kmsid"("k"), you need to set AWSSSEKMSID environment which value is 'kms id'.

notice

You must be careful about that you can not use the KMS id which is not same EC2 region.

@ggtakec commented on GitHub (Oct 6, 2015): @jpeacock-mypoints I merged new codes for this issue(support for SSE-KMS) - #278 And modified use_sse option for this change. After this change, s3fs supported No-SSE(SSE disable), SSE-S3, SSE-C(custom key using), and SSE-KMS(AWS Key Management Id). Please try to use and check latest code on master branch. Thanks in advance for your help. ##### About use_sse option: - not specify use_sse option default is SSE-DISABLE - "use_sse" or "use_sse=1"(old type parameter) uses Amazon S3-managed encryption keys - "use_sse=custom:'filepath'" or "use_sse='filepath'"(old type parameter) uses customer-provided encryption keys. The custom key file must be 600 permission. The file can have some lines, each line is one SSE-C key. The first line in file is used as Customer-Provided Encryption Keys for uploading and changing headers etc. If there are some keys after first line, those are used downloading object which are encrypted by not first key. So that, you can keep all SSE-C keys in file, that is SSE-C key history. - "use_sse=custom" If you specify "custom"("c") without file path, you need to set custom key by load_sse_c option or AWSSSECKEYS environment. (AWSSSECKEYS environment has some SSE-C keys with ":" separator.) This option is used to decide the SSE type. So that if you do not want to encrypt a object object at uploading, but you need to decrypt encrypted object at downloaing, you can use load_sse_c option instead of this option. - "use_sse=kmsid" or "use_sse=kmsid:'kms id'" uses the master key which you manage in AWS KMS. You can use "k" for short "kmsid". If you san specify SSE-KMS type with your 'kms id' in AWS KMS, you can set it after "kmsid:"(or "k:"). If you specify only "kmsid"("k"), you need to set AWSSSEKMSID environment which value is 'kms id'. ##### notice You must be careful about that you can not use the KMS id which is not same EC2 region.

kerem commented

2026-03-04 01:42:32 +03:00

Author

Owner

@ggtakec commented on GitHub (Oct 6, 2015):

I closed this issue. but you have(find) a problem, please let us know.
Regards,

@ggtakec commented on GitHub (Oct 6, 2015): I closed this issue. but you have(find) a problem, please let us know. Regards,

kerem referenced this issue

2026-03-04 01:53:34 +03:00

[PR #138] [MERGED] Fixed bugs, not turn use_cache off and ty to load to end - issue#97 #1361

kerem referenced this issue

2026-03-04 01:53:34 +03:00

[PR #143] [MERGED] Fixed a bug no use_cache case about fixed #138 - issue#141 #1362

kerem referenced this issue

2026-03-04 01:53:36 +03:00

[PR #150] [MERGED] Fixed a bug not handling fsync - #145 #1367