AWS S3 offers a feature to enable server-side encryption of files.
If I understand correctly, this is enabled by sending a specific HTTP header with the request to upload the file in question.
So, this header needs to be set every time we want to upload a new file.
Is this feature already supported / being considered for future versions?
If not, am I correct in assuming it would have to be implemented in https://github.com/joeyh/git-annex/blob/master/Remote/S3.hs ?
Thank you
I have not looked into this particular S3 feature, since I see little point in using it. git-annex can encrypt files client-side before sending to S3, which is much better.
However, you can probably configure git-annex to send the header. See the
x-amx-meta-*option documented in S3. If the header was named encryptplz and needed to be set to "canhazsecurityburger", you would enable it with something like:Thanks for your reponse. I'll try specifying the header as you are suggesting.
FYI, one reason for not handling encryption locally is to not have to manage encryption keys. If multiple people need to be able to decrypt the data, I would have to manage all their keys.
Using git-annex's encryption=shared will have the same key management ease as letting Amazon encrypt.
In both cases you're putting the shared encryption key into the configuration of a git-annex S3 remote. Anyone who can access the git repository can access the encryption key.