starred/s3fs-fuse

Fork 0

mirror of https://github.com/s3fs-fuse/s3fs-fuse.git synced 2026-04-25 21:35:58 +03:00

[GH-ISSUE #718] Client-side encryption #408

New issue

Open

opened 2026-03-04 01:45:15 +03:00 by kerem · 9 comments

kerem commented

2026-03-04 01:45:15 +03:00

Owner

Originally created by @JamesB7 on GitHub (Feb 15, 2018).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/718

Hello,

Could you please consider supporting client-side encryption? ( https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html ) This would allow not sharing the encryption keys with Amazon.

Thank you!

James

Originally created by @JamesB7 on GitHub (Feb 15, 2018). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/718 Hello, Could you please consider supporting client-side encryption? ( https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html ) This would allow not sharing the encryption keys with Amazon. Thank you! James

kerem added the

enhancement

help wanted

labels

2026-03-04 01:45:15 +03:00

kerem commented

2026-03-04 01:45:16 +03:00

Author

Owner

@sqlbot commented on GitHub (Feb 15, 2018):

Note that client-side encryption is not actually a feature of the S3 service itself -- it's actually a feature provided by a subset of the official AWS SDKs, none of which are used by s3fs-fuse.

@sqlbot commented on GitHub (Feb 15, 2018): Note that client-side encryption is not actually a feature of the S3 service itself -- it's actually a feature provided by a subset of the official AWS SDKs, none of which are used by s3fs-fuse.

kerem commented

2026-03-04 01:45:16 +03:00

Author

Owner

@maximpichler commented on GitHub (Jul 15, 2018):

Even though it's not an S3 feature, it would be very useful. Or are there other ways to do this?

@maximpichler commented on GitHub (Jul 15, 2018): Even though it's not an S3 feature, it would be very useful. Or are there other ways to do this?

kerem commented

2026-03-04 01:45:16 +03:00

Author

Owner

@gaul commented on GitHub (Oct 17, 2019):

An s3fs fork implements this:

https://github.com/hellochrisyou/S3FS_OpenSSL_RC4_MD5

However I think we should align with the AWS implementation to allow interoperability:

https://github.com/gaul/s3proxy/pull/296#issuecomment-530817114

@gaul commented on GitHub (Oct 17, 2019): An s3fs fork implements this: https://github.com/hellochrisyou/S3FS_OpenSSL_RC4_MD5 However I think we should align with the AWS implementation to allow interoperability: https://github.com/gaul/s3proxy/pull/296#issuecomment-530817114

kerem commented

2026-03-04 01:45:16 +03:00

Author

Owner

@jopdorp commented on GitHub (Jul 28, 2022):

client side encryption would be a great feature.

@jopdorp commented on GitHub (Jul 28, 2022): client side encryption would be a great feature.

kerem commented

2026-03-04 01:45:16 +03:00

Author

Owner

@rebelga commented on GitHub (Apr 5, 2023):

It's a big issue for me and why I can't use this currently. Without client side encryption, my data would be too exposed. Interoperability with AWS S3 SDK is not at all important to me, just S3FS interoperability across S3 providers.

@rebelga commented on GitHub (Apr 5, 2023): It's a big issue for me and why I can't use this currently. Without client side encryption, my data would be too exposed. Interoperability with AWS S3 SDK is not at all important to me, just S3FS interoperability across S3 providers.

kerem commented

2026-03-04 01:45:17 +03:00

Author

Owner

@gaul commented on GitHub (Apr 6, 2023):

@rebelga You can work around this with S3Proxy using the encryption middleware: https://github.com/gaul/s3proxy/pull/398. As for s3fs itself, I think it should follow the AWS style for interoperability.

@gaul commented on GitHub (Apr 6, 2023): @rebelga You can work around this with S3Proxy using the encryption middleware: https://github.com/gaul/s3proxy/pull/398. As for s3fs itself, I think it should follow the AWS style for interoperability.

kerem commented

2026-03-04 01:45:17 +03:00

Author

Owner

@woodlyer commented on GitHub (Nov 29, 2024):

there is a good client side s3 encryption production.
juicefs. it's open source. see the doc.
https://juicefs.com/docs/community/security/encryption/

juicefs support FUSE.
But, there is a little notice.
juicefs will splite files into parts, and you will have to use juicefs to access your files in s3 server.

@woodlyer commented on GitHub (Nov 29, 2024): there is a good client side s3 encryption production. juicefs. it's open source. see the doc. https://juicefs.com/docs/community/security/encryption/ juicefs support FUSE. But, there is a little notice. juicefs will splite files into parts, and you will have to use juicefs to access your files in s3 server.

kerem commented

2026-03-04 01:45:17 +03:00

Author

Owner

@ggtakec commented on GitHub (Jan 19, 2025):

In the past, I have tested encfs and ecryptfs in combination with s3fs to achieve client encryption (you must specify the use_xattr option), and it worked. I think it still works now.

@ggtakec commented on GitHub (Jan 19, 2025): In the past, I have tested `encfs` and `ecryptfs` in combination with s3fs to achieve client encryption (you must specify the use_xattr option), and it worked. I think it still works now.

kerem commented

2026-03-04 01:45:17 +03:00

Author

Owner

@zeroSteiner commented on GitHub (Aug 11, 2025):

I'm currently working on this in my feat/cse-v2-aes branch. I intend to follow the v2 (latest AFAIK) scheme / security profile from the official SDK and so far I have it reading and validating encrypted files with an AES key. I'm following the official SDK for compatibility which uses AES-GCM. AES-GCM is a great cipher, but in order to take advantage of the tag authentication, files have to be read and written in their entirety which will cause more latency. I don't think there is a way around this but it is a nice security feature.

I still need to implement writing encrypted files which will take a few weeks. The current implementation is for Linux only and uses OpenSSL. I wasn't planning on supporting:

OSX and Windows
Non-OpenSSL crypto libraries
KMS KEKs (a large part of my effort is driven by a desire to avoid vendor lock-in with AWS and since others don't seem to support this, it doesn't make sense to add)
RSA KEKs

I'll update this ticket once more when I have something ready to PR. I'm hoping to have that ready in maybe 2 months.

@zeroSteiner commented on GitHub (Aug 11, 2025): I'm currently working on this in my [feat/cse-v2-aes](https://github.com/zeroSteiner/s3fs-fuse/tree/feat/cse-v2-aes) branch. I intend to follow the v2 (latest AFAIK) scheme / security profile from the official SDK and so far I have it reading and validating encrypted files with an AES key. I'm following the official SDK for compatibility which uses AES-GCM. AES-GCM is a great cipher, but in order to take advantage of the tag authentication, files have to be read and written in their entirety which will cause more latency. I don't think there is a way around this but it is a nice security feature. I still need to implement writing encrypted files which will take a few weeks. The current implementation is for Linux only and uses OpenSSL. I wasn't planning on supporting: * OSX and Windows * Non-OpenSSL crypto libraries * KMS KEKs (a large part of my effort is driven by a desire to avoid vendor lock-in with AWS and since others don't seem to support this, it doesn't make sense to add) * RSA KEKs I'll update this ticket once more when I have something ready to PR. I'm hoping to have that ready in maybe 2 months.