This repository was archived by the owner on Jun 19, 2025. It is now read-only.
Add encrypted file system store (encrypt files at rest)#489
Open
derSascha wants to merge 1 commit intominio:masterfrom
Open
Add encrypted file system store (encrypt files at rest)#489derSascha wants to merge 1 commit intominio:masterfrom
derSascha wants to merge 1 commit intominio:masterfrom
Conversation
derSascha
changed the title
derSascha
changed the title
derSascha
force-pushed
the
encrypted-fs-backend
branch
2 times, most recently
from
bf1c74d to
fa4a9ff
Compare
Add a keystore implementation, that wraps a file system store, but encrypts the files. Fixes: minio#392 Signed-off-by: Sascha Wolke <dersascha@users.noreply.github.com>
derSascha
force-pushed
the
encrypted-fs-backend
branch
from
fa4a9ff to
8b55a05
Compare
harshavardhana
force-pushed
the
master
branch
3 times, most recently
from
f832434 to
63649d0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull-request adds a keystore implementation, that wraps a file system store, but encrypts the files at rest 🎉
Why is this useful?
In smaller setups, using a cloud KMS might become expensive, and a Vault setup that must be unlocked all the time complicated too.
How does it work?
The implementation combines existing things. It wraps the file system store, and encrypts the file content using a
SecretKey. The encryption key must be provided in a dedicated file that contains exactly 32 bytes.Is it secure?
Storing the encryption key around the file store does not make it secure, but storing the key in a remote location helps. You might mount a remote file system with the key via e.g. ssh or download the key via HTTPS to a temporary (in memory) directory.
Why not using file system encryption?
Encryption at rest has the nice benefit that backups of the file store are secure. Setting up file system encryption without manual unlocking on reboots might not easy to setup too.
How to use?
Create a new encryption key:
Configure the encrypted file store:
This pull-request adds a new store, instead of modifying the existing file system store. This has the nice benefit that we can ensure the encryption key is set, and not missing by mistake. The configuration key is named
encryptedfsand the implementationefs.Fixes #392