Server-side encryption using AWS' KMS

[hchood]

Hello!

Does Paperclip support server-side encryption using AWS' Key Management Service?

I was hoping it would be possible to set server_side_encryption: 'aws:kms' like so, as described in the aws-sdk docs:

  has_attached_file :discharge_papers,
                    s3_server_side_encryption: 'aws:kms',
                    ssekms_key_id: ENV['AWS_KMS_KEY_ID']

But I'm getting Aws::Errors::MissingCredentialsErrors despite my credentials being correct (and working without the server_side_encryption option set, or when set to aes256). Note that it also fails when set to aws:kms but without specifying an ssekms_key_id, which is necessary to use customer-generated encryption keys.

Looks like it may be possible based on this comment #1730 (comment) but nothing in the docs so far.

Thank you!

[hchood]

This is solved. The real issue was that aws-sdk was not importing my credentials from aws.yml (this is a Rails app). I'm not sure if this is because aws-sdk no longer supports setting creds in that file or just that I hadn't set the (now required) AWS region there.

Anyway, KMS encryption appears to work now.

However, word to the wise: passing :aes256 apparently no longer works with the aws-sdk v2 as described in the Paperclip docs. Instead you must pass "AES256". Happy to update if you'd like.

[yawnr]

@hchood Hey! Did you ever get this working with a KMS key id? Seems like my ssekms_key_id is just being ignored -- the encryption works with "AES256" or aws:kms but defaults to aws/s3 regardless of whether or not ssekms_key_id is passed.

config.paperclip_defaults = {
  :storage => :s3,
  :s3_credentials => {
    :bucket => ENV["s3_bucket"],
    :access_key_id => ENV["s3_key"],
    :secret_access_key => ENV["s3_secret"]
  },
  :s3_region => ENV["s3_region"],
  :s3_permissions => :private,
  :s3_server_side_encryption => "aws:kms",
  :ssekms_key_id => ENV["kms_key_id"]
}

I tried it on the model itself as well, but same result. Wish it threw an error or something more helpful.

Thanks!

[hchood]

@yawnr I did, yes! Of note, I'm using Paperclip v5.0 & aws-sdk v2.

# Gemfile
gem 'aws-sdk', '~> 2'
gem 'paperclip', '~> 5.0.0.beta1'

# application.rb
    config.paperclip_defaults = {
      storage: :s3,
      s3_credentials: {
        bucket: ENV.fetch('AWS_S3_BUCKET_NAME'),
        access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID'),
        secret_access_key: ENV.fetch('AWS_SECRET_KEY_ID'),
        s3_region: ENV.fetch('AWS_S3_REGION')
      },
      s3_permissions: :private,
      s3_protocol: :https
    }

# model.rb
  has_attached_file :my_file,
                    s3_server_side_encryption: 'aws:kms',
                    ssekms_key_id: ENV.fetch('AWS_KMS_KEY_ID')

Hope this helps!

[yawnr]

Thanks @hchood !

I actually couldn't get it working even with those settings -- looking at the encryption in s3, it would always have Server Side Encryption: Using AWS KMS master key: aws/s3 (default) regardless of if I passed ssekms_key_id or not.

After a bit of digging though, I found where Paperclip was actually parsing out the s3 headers:
https://github.com/thoughtbot/paperclip/blob/master/lib/paperclip/storage/s3.rb#L141

There's actually no mention of assigning @options[:ssekms_key_id] in there, and the line that I linked wouldn't include it in the headers either.

So, I ended up passing ssekms_key_id (the full ARN, in case anyone else has this issue) inside s3_headers, and voila! Finally success.

config.paperclip_defaults = {
  storage: :s3,
  s3_credentials: {
    bucket: ENV["s3_bucket"],
    access_key_id: ENV["s3_access_key_id"],
    secret_access_key: ENV["s3_secret_access_key"],
    s3_region: ENV["s3_region"],
  },
  s3_server_side_encryption: 'aws:kms',
  s3_headers: {
    ssekms_key_id: ENV['aws_kms_key_id']
  },
  s3_permissions: :private,
  s3_protocol: :https
}