[GH-ISSUE #817] Binary encryption keys for SSE-C should be supported #474

New issue

Closed

opened 2026-03-04 01:45:55 +03:00 by kerem · 5 comments

kerem commented

2026-03-04 01:45:55 +03:00

Owner

Originally created by @earlchew on GitHub (Sep 4, 2018).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/817

Support for SSE-C was added in https://github.com/s3fs-fuse/s3fs-fuse/issues/39.

The key is provided to S3 via:

x-amz-server-side-encryption-customer-key
Use this header to provide the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.

Extraction of the SSE-C keys might occur from a file, or from an environment variable. The former assumes that '\n' can be used to separate one key from another, the latter makes the same kind of assumption for ':'. This means that the key cannot contain '\0', and either cannot contain '\n' or ':'.

  string   line;
  while(getline(ssefs, line)){
    S3fsCurl::PushbackSseKeys(line);
  }

  istringstream fullkeys(envkeys);
  string        onekey;
  while(getline(fullkeys, onekey, ':')){
    S3fsCurl::PushbackSseKeys(onekey);
  }

Since the key will be converted to base64 before being conveyed to S3 anyway, I'm thinking that ingesting the key from a file or environment variable as base64 would be a more robust approach.

bool S3fsCurl::PushbackSseKeys(string& onekey)
{
  onekey = trim(onekey);
  if(0 == onekey.size()){
    return false;
  }
  if('#' == onekey[0]){
    return false;
  }
  // make base64
  char* pbase64_key;
  if(NULL == (pbase64_key = s3fs_base64((unsigned char*)onekey.c_str(), onekey.length()))){
    S3FS_PRN_ERR("Failed to convert base64 from SSE-C key %s", onekey.c_str());
    return false;
  }
...

Using base64 encoding, either '\n' or ':' can be used as key separators (https://en.wikipedia.org/wiki/Base64) and '\0' can terminate base64 strings.

What do you think is a good way to support this feature without breaking existing behaviour?

Originally created by @earlchew on GitHub (Sep 4, 2018). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/817 Support for SSE-C was added in https://github.com/s3fs-fuse/s3fs-fuse/issues/39. The key is provided to S3 via: > x-amz-server-side-encryption-customer-key > Use this header to provide the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data. Extraction of the SSE-C keys might occur from a file, or from an environment variable. The former assumes that `'\n'` can be used to separate one key from another, the latter makes the same kind of assumption for `':'`. This means that the key cannot contain `'\0'`, and either cannot contain `'\n'` or `':'`. ``` string line; while(getline(ssefs, line)){ S3fsCurl::PushbackSseKeys(line); } ``` ``` istringstream fullkeys(envkeys); string onekey; while(getline(fullkeys, onekey, ':')){ S3fsCurl::PushbackSseKeys(onekey); } ``` Since the key will be converted to base64 before being conveyed to S3 anyway, I'm thinking that ingesting the key from a file or environment variable as base64 would be a more robust approach. ``` bool S3fsCurl::PushbackSseKeys(string& onekey) { onekey = trim(onekey); if(0 == onekey.size()){ return false; } if('#' == onekey[0]){ return false; } // make base64 char* pbase64_key; if(NULL == (pbase64_key = s3fs_base64((unsigned char*)onekey.c_str(), onekey.length()))){ S3FS_PRN_ERR("Failed to convert base64 from SSE-C key %s", onekey.c_str()); return false; } ... ``` Using base64 encoding, either `'\n'` or `':'` can be used as key separators (https://en.wikipedia.org/wiki/Base64) and `'\0'` can terminate base64 strings. What do you think is a good way to support this feature without breaking existing behaviour?

kerem closed this issue

2026-03-04 01:45:56 +03:00

kerem commented

2026-03-04 01:45:56 +03:00

Author

Owner

@earlchew commented on GitHub (Sep 16, 2018):

I've made a candidate patch that enables the use of base64 encoded binary keys:

github.com/s3fs-fuse/s3fs-fuse@41c23adb0e

I'll test drive this for a while before submitting a pull request.

This patch is backwards compatible with current behaviour, which I note will break some binary keys as it shortens keys that appear to contain leading whitespace, and will refuse to use keys that start with '#':

bool S3fsCurl::PushbackSseKeys(string& onekey)
{
  onekey = trim(onekey);
  if(0 == onekey.size()){
    return false;
  }
  if('#' == onekey[0]){
    return false;
  }

@earlchew commented on GitHub (Sep 16, 2018): I've made a candidate patch that enables the use of base64 encoded binary keys: https://github.com/s3fs-fuse/s3fs-fuse/commit/41c23adb0e10d3c276f2a81a5cf04fdff8740113 I'll test drive this for a while before submitting a pull request. This patch is backwards compatible with current behaviour, which I note will break some binary keys as it shortens keys that appear to contain leading whitespace, and will refuse to use keys that start with `'#'`: ``` bool S3fsCurl::PushbackSseKeys(string& onekey) { onekey = trim(onekey); if(0 == onekey.size()){ return false; } if('#' == onekey[0]){ return false; } ```

kerem commented

2026-03-04 01:45:56 +03:00

Author

Owner

@earlchew commented on GitHub (Jan 5, 2019):

I've used this change for a while now, and it seems stable enough to submit a pull request.

@earlchew commented on GitHub (Jan 5, 2019): I've used this change for a while now, and it seems stable enough to submit a pull request.

kerem commented

2026-03-04 01:45:57 +03:00

Author

Owner

@gaul commented on GitHub (Jan 24, 2019):

Can we close this issue now that #882 merged?

@gaul commented on GitHub (Jan 24, 2019): Can we close this issue now that #882 merged?

kerem commented

2026-03-04 01:45:57 +03:00

Author

Owner

@earlchew commented on GitHub (Jan 24, 2019):