remove SSE-S3 key rotation in CopyObject (#8278)

This commit removes the SSE-S3 key rotation functionality
from CopyObject since there will be a dedicated Admin-API
for this purpose.

Also update the security documentation to link to mc and
the admin documentation.
master
Andreas Auernhammer 5 years ago committed by kannappanr
parent 2e02e1889b
commit cb7d23cb17
  1. 25
      cmd/object-handlers.go
  2. 30
      docs/security/README.md

@ -707,6 +707,7 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrInvalidMetadataDirective), r.URL, guessIsBrowserReq(r))
return
}
// This request header needs to be set prior to setting ObjectOptions
if globalAutoEncryption && !crypto.SSEC.IsRequested(r.Header) {
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
@ -733,11 +734,8 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
}
cpSrcDstSame := isStringEqual(pathJoin(srcBucket, srcObject), pathJoin(dstBucket, dstObject))
// Deny if WORM is enabled. If operation is key rotation of SSE-S3 encrypted object
// allow the operation
if globalWORMEnabled && !(cpSrcDstSame && crypto.S3.IsRequested(r.Header)) {
if _, err = objectAPI.GetObjectInfo(ctx, dstBucket, dstObject, dstOpts); err == nil {
if globalWORMEnabled { // Deny if WORM is enabled.
if _, err := objectAPI.GetObjectInfo(ctx, dstBucket, dstObject, dstOpts); err == nil {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
return
}
@ -775,11 +773,6 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
return
}
// Deny if WORM is enabled, and it is not a SSE-S3 -> SSE-S3 key rotation or if metadata replacement is requested.
if globalWORMEnabled && cpSrcDstSame && (!crypto.S3.IsEncrypted(srcInfo.UserDefined) || isMetadataReplace(r.Header)) {
writeErrorResponse(ctx, w, errorCodes.ToAPIErr(ErrMethodNotAllowed), r.URL, guessIsBrowserReq(r))
return
}
// We have to copy metadata only if source and destination are same.
// this changes for encryption which can be observed below.
if cpSrcDstSame {
@ -866,13 +859,11 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
// - the object is encrypted using SSE-S3 and the SSE-S3 header is present
// than execute a key rotation.
var keyRotation bool
if cpSrcDstSame && ((sseCopyC && sseC) || (sseS3 && sseCopyS3)) {
if sseCopyC && sseC {
oldKey, err = ParseSSECopyCustomerRequest(r.Header, srcInfo.UserDefined)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
if cpSrcDstSame && (sseCopyC && sseC) {
oldKey, err = ParseSSECopyCustomerRequest(r.Header, srcInfo.UserDefined)
if err != nil {
writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r))
return
}
for k, v := range srcInfo.UserDefined {

@ -158,12 +158,11 @@ component that performs key sealing/unsealing operations to build a key hierarch
#### Key rotation - Basic Operation
The MinIO server supports key rotation for SSE-S3 encrypted objects. Therefore, an S3 client
must perform a S3 COPY operation where the copy source and destination are equal and the SSE-S3 HTTP
header is set. The minio server decrypts the OEK using the current encrypted data key and the
master key ID of the object metadata. If this succeeds, the server requests a new data key
from the KMS using the master key ID of the **current MinIO KMS configuration** and re-wraps the
*OEK* with a new *KEK* derived from the new data key / EK:
The MinIO server supports key rotation for SSE-S3 encrypted objects. The minio server decrypts
the OEK using the current encrypted data key and the master key ID of the object metadata. If
this succeeds, the server requests a new data key from the KMS using the master key ID of
the **current MinIO KMS configuration** and re-wraps the *OEK* with a new *KEK* derived from
the new data key / EK:
```
object metadata KMS
@ -203,21 +202,10 @@ from the KMS using the master key ID of the **current MinIO KMS configuration**
```
<center>Figure 3 - KMS data key rotation</center>
#### Key rotation - Extensions
The basic SSE-S3 key rotation operation can be used to build more powerful key management
operations. The following options are possible to perform manually but do not have fully
functional API's at this time.
1. **Master key migration**: The [SSE-S3 key rotation](#Key-rotation---Basic-Operation) can be performed
on multiple/all objects to move them from one to another master key.
2. **Secure object erasure**: The [SSE-S3 key rotation](#Key-rotation---Basic-Operation) can be applied
to one/multiple objects with a randomly generated master key which is
not stored at the KMS. That leads to an encrypted data key which can
never be decrypted anymore.
3. **Periodical key migration**: The [SSE-S3 key rotation](#Key-rotation---Basic-Operation) can be
invoked after a certain time period to migrate one or more objects
from one master key to another.
Only the root/admin user can perform an SSE-S3 key rotation using the Admin-API via [mc](https://github.com/minio/mc).
For more details about how to perform key management operations using the CLI refer to
[mc admin guide](https://github.com/minio/mc/blob/master/docs/minio-admin-complete-guide.md)
or run `mc admin kms key`.
#### Secure Erasure and Locking

Loading…
Cancel
Save