Add SSE-C key configuration option for Amazon S3 remote backups

author: Pepijn Van Eeckhoudt <pepijn@vaneeckhoudt.net> 2019-01-09 16:39:20 +0000
committer: James Lopez <james@gitlab.com> 2019-01-09 16:39:20 +0000
commit: 1b3ffdf250e2fc632765aef2d003d1ea29f66977 (patch)
tree: 9895345ba5aa38d04712fb44b37661174c809c26
parent: 00ac520e2025d79ce4c51650e6312ce043bfab1f (diff)
download: gitlab-ce-1b3ffdf250e2fc632765aef2d003d1ea29f66977.tar.gz
6 files changed, 17 insertions, 0 deletions
diff --git a/changelogs/unreleased/backup_aws_sse-c.yml b/changelogs/unreleased/backup_aws_sse-c.yml
new file mode 100644
index 00000000000..78b57d7efc3
--- /dev/null
+++ b/changelogs/unreleased/backup_aws_sse-c.yml
@@ -0,0 +1,5 @@
+title: Add support for customer provided encryption keys for Amazon S3 remote backups
+merge_request: 23797
+author: Pepijn Van Eeckhoudt
+type: added
+
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 7fe85f0e0d7..6fc33e8971e 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -635,6 +635,10 @@ production: &base
     #   multipart_chunk_size: 104857600
     #   # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
     #   # encryption: 'AES256'
+    #   # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
+    #   #   This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data. 
+    #   #   'encryption' must also be set in order for this to have any effect. 
+    #   # encryption_key: '<base64 key>'
     #   # Specifies Amazon S3 storage class to use for backups, this is optional
     #   # storage_class: 'STANDARD'
 
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index db35fa96ea2..1aed41e02ab 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -392,6 +392,7 @@ Settings.backup['archive_permissions'] ||= 0600
 Settings.backup['upload'] ||= Settingslogic.new({ 'remote_directory' => nil, 'connection' => nil })
 Settings.backup['upload']['multipart_chunk_size'] ||= 104857600
 Settings.backup['upload']['encryption'] ||= nil
+Settings.backup['upload']['encryption_key'] ||= ENV['GITLAB_BACKUP_ENCRYPTION_KEY']
 Settings.backup['upload']['storage_class'] ||= nil
 
 #
diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md
index 57bc71d2903..bb28ca35a26 100644
--- a/doc/raketasks/backup_restore.md
+++ b/doc/raketasks/backup_restore.md
@@ -311,6 +311,11 @@ For installations from source:
           remote_directory: 'my.s3.bucket'
           # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
           # encryption: 'AES256'
+          # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
+          #   This should be set to the base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
+          #   'encryption' must also be set in order for this to have any effect.
+          #   To avoid storing the key on disk, the key can also be specified via the `GITLAB_BACKUP_ENCRYPTION_KEY` environment variable.
+          # encryption_key: '<base64 key>'
           # Specifies Amazon S3 storage class to use for backups, this is optional
           # storage_class: 'STANDARD'
     ```
diff --git a/lib/backup/manager.rb b/lib/backup/manager.rb
index 0add2b3f875..06b0338b1ed 100644
--- a/lib/backup/manager.rb
+++ b/lib/backup/manager.rb
@@ -50,6 +50,7 @@ module Backup
       if directory.files.create(key: remote_target, body: File.open(tar_file), public: false,
                                 multipart_chunk_size: Gitlab.config.backup.upload.multipart_chunk_size,
                                 encryption: Gitlab.config.backup.upload.encryption,
+                                encryption_key: Gitlab.config.backup.upload.encryption_key,
                                 storage_class: Gitlab.config.backup.upload.storage_class)
         progress.puts "done".color(:green)
       else
diff --git a/spec/lib/backup/manager_spec.rb b/spec/lib/backup/manager_spec.rb
index 9633caac788..ae1c881e1f6 100644
--- a/spec/lib/backup/manager_spec.rb
+++ b/spec/lib/backup/manager_spec.rb
@@ -266,6 +266,7 @@ describe Backup::Manager do
           remote_directory: 'directory',
           multipart_chunk_size: 104857600,
           encryption: nil,
+          encryption_key: nil,
           storage_class: nil
         }
       )
author	Pepijn Van Eeckhoudt <pepijn@vaneeckhoudt.net>	2019-01-09 16:39:20 +0000
committer	James Lopez <james@gitlab.com>	2019-01-09 16:39:20 +0000
commit	1b3ffdf250e2fc632765aef2d003d1ea29f66977 (patch)
tree	9895345ba5aa38d04712fb44b37661174c809c26
parent	00ac520e2025d79ce4c51650e6312ce043bfab1f (diff)
download	gitlab-ce-1b3ffdf250e2fc632765aef2d003d1ea29f66977.tar.gz