KMS Support - Nuxeo with Amazon S3 Server Side Encryption

I'm trying to get Nuxeo to store its binaries in S3 with Server-Side encryption.

I can't use AES-256 encryption. AWS KMS encryption is required. Does Nuxeo provide support for using KMS keys? I'm not find any information about this at https://doc.nuxeo.com/nxdoc/amazon-s3-online-storage/. If anything, it sounds like Nuxeo only supports AES-256.

The bucket policy I have to accommodate is the following:

{
    "Version": "2012-10-17",
    "Id": "ServerSideEncryptionPolicy",
    "Statement": [
        {
            "Sid": "DenyPutWithoutKmsKey",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:PutObject",
            "Resource": "<REMOVED>",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms",
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "<REMOVED>"
                }
            }
        }
}
0 votes

1 answers

1427 views

ANSWER



At the moment we only support AES-256 for server-side encryption (this is hardcoded in the code). I've created NXP-22949 to track this feature request. It's not currently been scheduled.

0 votes



We'd welcome a pull request on our code if you want to speed this up though.
08/18/2017