Add SSE-C key configuration option for Amazon S3 remote backups

2 files changed, 5 insertions, 0 deletions

diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 7fe85f0e0d7..6fc33e8971e 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -635,6 +635,10 @@ production: &base
     #   multipart_chunk_size: 104857600
     #   # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
     #   # encryption: 'AES256'
+    #   # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
+    #   #   This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data. 
+    #   #   'encryption' must also be set in order for this to have any effect. 
+    #   # encryption_key: '<base64 key>'
     #   # Specifies Amazon S3 storage class to use for backups, this is optional
     #   # storage_class: 'STANDARD'
 
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index db35fa96ea2..1aed41e02ab 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -392,6 +392,7 @@ Settings.backup['archive_permissions'] ||= 0600
 Settings.backup['upload'] ||= Settingslogic.new({ 'remote_directory' => nil, 'connection' => nil })
 Settings.backup['upload']['multipart_chunk_size'] ||= 104857600
 Settings.backup['upload']['encryption'] ||= nil
+Settings.backup['upload']['encryption_key'] ||= ENV['GITLAB_BACKUP_ENCRYPTION_KEY']
 Settings.backup['upload']['storage_class'] ||= nil
 
 #