From e48f7118b073650ba1ec0322886b5c8c6af2fb24 Mon Sep 17 00:00:00 2001 From: SkepticalWaves Date: Sun, 26 Sep 2021 13:48:29 -0400 Subject: [PATCH] Add Amazon AWS S3 SSE-C encryption to goofys configuration --- docs/configuring-playbook-s3.md | 14 ++++++++++++++ roles/matrix-synapse/defaults/main.yml | 1 + .../goofys/systemd/matrix-goofys.service.j2 | 2 +- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/docs/configuring-playbook-s3.md b/docs/configuring-playbook-s3.md index 9132ff718..e76826134 100644 --- a/docs/configuring-playbook-s3.md +++ b/docs/configuring-playbook-s3.md @@ -56,6 +56,20 @@ matrix_s3_media_store_custom_endpoint_enabled: true matrix_s3_media_store_custom_endpoint: "your-custom-endpoint" ``` +## Using AWS Server-Side-Encryption + +You can enable automatic server side encryption using a custom key (with AWS SSE-C) by generating and providing a key for goofys: + +Generate a base64 encoded key: +```bash +$ head -c 32 /dev/random | base64 +``` + +And store the key in: +```yaml +matrix_s3_media_store_sse_key: "your-base64-encoded-key-here" +``` + ### Backblaze B2 To use [Backblaze B2](https://www.backblaze.com/b2/cloud-storage.html): diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml index 075e7dd0c..b6143c7c6 100644 --- a/roles/matrix-synapse/defaults/main.yml +++ b/roles/matrix-synapse/defaults/main.yml @@ -540,6 +540,7 @@ matrix_s3_media_store_aws_access_key: "your-aws-access-key" matrix_s3_media_store_aws_secret_key: "your-aws-secret-key" matrix_s3_media_store_region: "eu-central-1" matrix_s3_media_store_path: "{{ matrix_synapse_media_store_path }}" +matrix_s3_media_store_sse_key: "" # Controls whether the self-check feature should validate SSL certificates. matrix_synapse_self_check_validate_certificates: true diff --git a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 index df4a4f23a..db3ad8fff 100644 --- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 +++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2 @@ -24,7 +24,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name %n \ --env-file={{ matrix_synapse_config_dir_path }}/env-goofys \ --entrypoint /bin/sh \ {{ matrix_s3_goofys_docker_image }} \ - -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' + -c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} {% if matrix_s3_media_store_sse_key %}--sse --sse-c {{ matrix_s3_media_store_sse_key }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3' TimeoutStartSec=5min ExecStop=-{{ matrix_host_command_docker }} stop %n