forum/s3 server side encryptiongit-annexhttp://git-annex.branchable.com/forum/s3_server_side_encryption/git-annexikiwiki2015-01-05T21:19:37Zcomment 1http://git-annex.branchable.com/forum/s3_server_side_encryption/comment_1_68345d01b016abf96c226d2bfa17c641/joey2015-01-05T20:41:19Z2015-01-05T20:33:13Z
<p>I have not looked into this particular S3 feature, since I see little point
in using it. git-annex can encrypt files client-side before sending to S3,
which is much better.</p>
<p>However, you can probably configure git-annex to send the header.
See the <code>x-amx-meta-*</code> option documented in <a href="http://git-annex.branchable.com/special_remotes/S3/">S3</a>.
If the header was named encryptplz and needed to be set to
"canhazsecurityburger", you would enable it with something like:</p>
<pre><code>git annex enableremote mys3remote x-amz-meta-encryptplz=canhazsecurityburger
</code></pre>
comment 2http://git-annex.branchable.com/forum/s3_server_side_encryption/comment_2_b2ccef6dc00d58e103ac0fda48ee94d3/Pierre2015-01-05T20:47:31Z2015-01-05T20:47:31Z
<p>Thanks for your reponse. I'll try specifying the header as you are suggesting.</p>
<p>FYI, one reason for not handling encryption locally is to not have to manage encryption keys. If multiple people need to be able to decrypt the data, I would have to manage all their keys.</p>
comment 3http://git-annex.branchable.com/forum/s3_server_side_encryption/comment_3_3eb57b98e4136b8550ea5d19393fe967/joey2015-01-05T21:11:19Z2015-01-05T21:09:47Z
<p>Using git-annex's encryption=shared will have the same
key management ease as letting Amazon encrypt.</p>
<p>In both cases you're putting the shared encryption key into the
configuration of a git-annex S3 remote. Anyone who can access the git
repository can access the encryption key.</p>
comment 4http://git-annex.branchable.com/forum/s3_server_side_encryption/comment_4_71d6c2356af8974cb848c3574cf3eb6d/Pierre2015-01-05T21:19:37Z2015-01-05T21:19:37Z
Ok, thank you!