Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mount SSE-C Encryption file for the AWS plugin #837

Closed
WafaAmr opened this issue Sep 27, 2022 · 18 comments
Closed

Mount SSE-C Encryption file for the AWS plugin #837

WafaAmr opened this issue Sep 27, 2022 · 18 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@WafaAmr
Copy link

WafaAmr commented Sep 27, 2022

Is your feature request related to a problem? Please describe.
The AWS plugin supports Server-Side Encryption with Customer-Managed Keys.

For example:

apiVersion: velero.io/v1
kind: BackupStorageLocation
...
spec:
  provider: velero.io/aws
  config:
    ...
    serverSideEncryption: AES256
    # Specify the file that contains the SSE-C customer key to enable customer key encryption of the backups
    # stored in S3. The referenced file should contain a 32-byte string.
    customerKeyEncryptionFile: "/credentials/customer-key"

As stated in the AWS:BSL documentation, I can define a path to the encryption file. The question now, Where should I specify the name of the Secret object customer-key to be mounted inside the velero-pod?

"Error getting backup store for this location" backupLocation=velero-sample-1 controller=backup-sync error="rpc error: code = Unknown desc = provided customerKeyEncryptionFile does not exist: /credentials/customer-key: stat /credentials/customer-key: no such file or directory"

Describe the solution you'd like
Provide a way to specify the secret customer-key as followed in backupLocation credential.
Additional context
OpenShift version : 4.9.48
OADP-Operator version : 1.1.0
@WafaAmr WafaAmr added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 27, 2022
@kaovilai
Copy link
Member

Thanks for filing issue!
Tracked in https://issues.redhat.com/browse/OADP-889

@kaovilai
Copy link
Member

At least for internal image backup maybe blocked by distribution/distribution#3745

@kaovilai
Copy link
Member

@WafaAmr is restic/restic#3612 (comment) a concern for you?
Affects restic backups.

@kaovilai
Copy link
Member

So if this gets implemented it would be scoped to just manifests most likely.

@kaovilai
Copy link
Member

Velero's restic, and future kopia uses encryption that are independent from storage provider specific implementations.

@kaovilai kaovilai added the triage/needs-information Indicates an issue needs more information in order to work on it. label Oct 17, 2022
@WafaAmr
Copy link
Author

WafaAmr commented Oct 18, 2022

Hey @kaovilai, thank you for you detailed response.
I'm currently looking for a way to encrypt all backup date (internal images, manifests, and Restic backup data) stored in the remote storage object.
Yes, Restic uses encryption, but anyone who has access to the bucket can decrypt all Restic backup data (source).

@WafaAmr
Copy link
Author

WafaAmr commented Oct 18, 2022

I'm not sure if Kopia will encrypt everything (vmware-tanzu/velero#3218 (comment)). If it's the case, it would be much better than supporting vendor-specific implementations.

@kaovilai kaovilai removed the triage/needs-information Indicates an issue needs more information in order to work on it. label Oct 21, 2022
@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 20, 2023
@openshift-bot
Copy link

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci openshift-ci bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 19, 2023
@openshift-bot
Copy link

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

@openshift-ci openshift-ci bot closed this as completed Mar 22, 2023
@openshift-ci
Copy link

openshift-ci bot commented Mar 22, 2023

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kaovilai kaovilai reopened this Dec 12, 2023
@openshift-bot
Copy link

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

@openshift-ci openshift-ci bot closed this as completed Jan 12, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 12, 2024

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kaovilai kaovilai reopened this Jan 12, 2024
@openshift-bot
Copy link

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

@openshift-ci openshift-ci bot closed this as completed Feb 12, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Feb 12, 2024

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kaovilai
Copy link
Member

/lifecycle frozen

@openshift-ci openshift-ci bot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. labels Feb 12, 2024
@weshayutin
Copy link
Contributor

SSE-C is working as documented in the aws plugin.
https://hackmd.io/nWTqKj4dRxiU3PCuAKtYuQ

@kaovilai
Copy link
Member

For anyone reading this: you need to trigger oadp's secret mounting per known issues in the hackmd above.

Future enhancements will be after vmware-tanzu/velero#7767 is solved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@weshayutin @openshift-bot @kaovilai @WafaAmr