[cinder] experiences with S3 cinder-backup driver // client-side encryption feature
Christian Rohmann
christian.rohmann at inovex.de
Thu Sep 1 12:35:55 UTC 2022
Hello openstack-discuss and cinder-backup users!
There is an S3 driver available for cinder-backup since the Wallaby
release already, see
https://docs.openstack.org/releasenotes/cinder/wallaby.html#relnotes-18-0-0-stable-wallaby-new-features.
1) I was wondering if anybody already used that on a somewhat larger
scale and what you experiences are about performance, stability and
compatibility?
2) What object storage implementation or external service were / are
you using?
3) While there are options like "backup_s3_sse_customer_algorithm" and
"backup_s3_sse_customer_key" make use of server-side-encryption (SSE),
there seems to be no way to encrypt the data before actually sending
it to the remote S3 (read: client-side encryption).
Since the boto3 Python SDK by AWS is used, which does not actually
implement CSE, like other language SDKs do (see my issue:
https://github.com/boto/boto3/issues/3395),
it seems obvious why that is not a totally low-hanging fruit. But
there are ways to add this, check out the references to e.g.
https://github.com/StephenSorriaux/s3-encryption
in the mentioned boto3 issue.
Encrypting data before sending it off to a potentially externally
operated service seems like a nice feature.
Even a single encryption key would then protect that data from having
to trust a 3rd party.
I know encrypted cinder volumes would also work, but they are not as
commonly used.
* Is CSE something that others would also like to see for the S3 driver?
* Cinder devs, would this maybe be worth a spec for the next cycle?
Regards
Christian
More information about the openstack-discuss
mailing list