[PR #278] [MERGED] Supported for SSE KMS(#270) #1441

New issue

Closed

opened 2026-03-04 01:53:59 +03:00 by kerem · 0 comments

kerem commented

2026-03-04 01:53:59 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/s3fs-fuse/s3fs-fuse/pull/278
Author: @ggtakec
Created: 10/6/2015
Status: ✅ Merged
Merged: 10/6/2015
Merged by: @ggtakec

Base: master ← Head: master

📝 Commits (1)

f51ad1f Supported for SSE KMS

📊 Changes

7 files changed (+409 additions, -212 deletions)

View changed files

📝 doc/man/s3fs.1 (+24 -8)
📝 src/common.h (+1 -1)
📝 src/curl.cpp (+157 -105)
📝 src/curl.h (+31 -10)
📝 src/s3fs.cpp (+154 -69)
📝 src/s3fs.h (+0 -2)
📝 src/s3fs_util.cpp (+42 -17)

📄 Description

Supported for Server Side Encrypting with KMS id.
And modified use_sse option for this change.
After this change, s3fs supported No-SSE(SSE disable), SSE-S3, SSE-C(custom key using), and SSE-KMS(AWS Key Management Id).

About use_sse option:

not specify use_sse option
default is SSE-DISABLE
"use_sse" or "use_sse=1"(old type parameter)
uses Amazon S3-managed encryption keys
"use_sse=custom:'filepath'" or "use_sse='filepath'"(old type parameter)
uses customer-provided encryption keys.
The custom key file must be 600 permission.
The file can have some lines, each line is one SSE-C key.
The first line in file is used as Customer-Provided Encryption Keys for uploading and changing headers etc.
If there are some keys after first line, those are used downloading object which are encrypted by not first key.
So that, you can keep all SSE-C keys in file, that is SSE-C key history.
"use_sse=custom"
If you specify "custom"("c") without file path, you need to set custom key by load_sse_c option or AWSSSECKEYS environment.
(AWSSSECKEYS environment has some SSE-C keys with ":" separator.)
This option is used to decide the SSE type.
So that if you do not want to encrypt a object object at uploading, but you need to decrypt encrypted object at downloaing, you can use load_sse_c option instead of this option.
"use_sse=kmsid" or "use_sse=kmsid:'kms id'"
uses the master key which you manage in AWS KMS.
You can use "k" for short "kmsid".
If you san specify SSE-KMS type with your 'kms id' in AWS KMS, you can set it after "kmsid:"(or "k:").
If you specify only "kmsid"("k"), you need to set AWSSSEKMSID environment which value is 'kms id'.
You must be careful about that you can not use the KMS id which is not same EC2 region.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/s3fs-fuse/s3fs-fuse/pull/278 **Author:** [@ggtakec](https://github.com/ggtakec) **Created:** 10/6/2015 **Status:** ✅ Merged **Merged:** 10/6/2015 **Merged by:** [@ggtakec](https://github.com/ggtakec) **Base:** `master` ← **Head:** `master` --- ### 📝 Commits (1) - [`f51ad1f`](https://github.com/s3fs-fuse/s3fs-fuse/commit/f51ad1f33e523a98323078d1c4ad4e20476f28ca) Supported for SSE KMS ### 📊 Changes **7 files changed** (+409 additions, -212 deletions) <details> <summary>View changed files</summary> 📝 `doc/man/s3fs.1` (+24 -8) 📝 `src/common.h` (+1 -1) 📝 `src/curl.cpp` (+157 -105) 📝 `src/curl.h` (+31 -10) 📝 `src/s3fs.cpp` (+154 -69) 📝 `src/s3fs.h` (+0 -2) 📝 `src/s3fs_util.cpp` (+42 -17) </details> ### 📄 Description Supported for Server Side Encrypting with KMS id. And modified use_sse option for this change. After this change, s3fs supported No-SSE(SSE disable), SSE-S3, SSE-C(custom key using), and SSE-KMS(AWS Key Management Id). ##### About use_sse option: - not specify use_sse option default is SSE-DISABLE - "use_sse" or "use_sse=1"(old type parameter) uses Amazon S3-managed encryption keys - "use_sse=custom:'filepath'" or "use_sse='filepath'"(old type parameter) uses customer-provided encryption keys. The custom key file must be 600 permission. The file can have some lines, each line is one SSE-C key. The first line in file is used as Customer-Provided Encryption Keys for uploading and changing headers etc. If there are some keys after first line, those are used downloading object which are encrypted by not first key. So that, you can keep all SSE-C keys in file, that is SSE-C key history. - "use_sse=custom" If you specify "custom"("c") without file path, you need to set custom key by load_sse_c option or AWSSSECKEYS environment. (AWSSSECKEYS environment has some SSE-C keys with ":" separator.) This option is used to decide the SSE type. So that if you do not want to encrypt a object object at uploading, but you need to decrypt encrypted object at downloaing, you can use load_sse_c option instead of this option. - "use_sse=kmsid" or "use_sse=kmsid:'kms id'" uses the master key which you manage in AWS KMS. You can use "k" for short "kmsid". If you san specify SSE-KMS type with your 'kms id' in AWS KMS, you can set it after "kmsid:"(or "k:"). If you specify only "kmsid"("k"), you need to set AWSSSEKMSID environment which value is 'kms id'. You must be careful about that you can not use the KMS id which is not same EC2 region. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>