diff --git a/changelogs/unreleased/backup_aws_sse-c.yml b/changelogs/unreleased/backup_aws_sse-c.yml new file mode 100644 index 00000000000..78b57d7efc3 --- /dev/null +++ b/changelogs/unreleased/backup_aws_sse-c.yml @@ -0,0 +1,5 @@ +title: Add support for customer provided encryption keys for Amazon S3 remote backups +merge_request: 23797 +author: Pepijn Van Eeckhoudt +type: added + diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 7fe85f0e0d7..6fc33e8971e 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -635,6 +635,10 @@ production: &base # multipart_chunk_size: 104857600 # # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional # # encryption: 'AES256' + # # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional + # # This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data. + # # 'encryption' must also be set in order for this to have any effect. + # # encryption_key: '' # # Specifies Amazon S3 storage class to use for backups, this is optional # # storage_class: 'STANDARD' diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index db35fa96ea2..1aed41e02ab 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -392,6 +392,7 @@ Settings.backup['archive_permissions'] ||= 0600 Settings.backup['upload'] ||= Settingslogic.new({ 'remote_directory' => nil, 'connection' => nil }) Settings.backup['upload']['multipart_chunk_size'] ||= 104857600 Settings.backup['upload']['encryption'] ||= nil +Settings.backup['upload']['encryption_key'] ||= ENV['GITLAB_BACKUP_ENCRYPTION_KEY'] Settings.backup['upload']['storage_class'] ||= nil # diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md index 57bc71d2903..bb28ca35a26 100644 --- a/doc/raketasks/backup_restore.md +++ b/doc/raketasks/backup_restore.md @@ -311,6 +311,11 @@ For installations from source: remote_directory: 'my.s3.bucket' # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional # encryption: 'AES256' + # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional + # This should be set to the base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data. + # 'encryption' must also be set in order for this to have any effect. + # To avoid storing the key on disk, the key can also be specified via the `GITLAB_BACKUP_ENCRYPTION_KEY` environment variable. + # encryption_key: '' # Specifies Amazon S3 storage class to use for backups, this is optional # storage_class: 'STANDARD' ``` diff --git a/lib/backup/manager.rb b/lib/backup/manager.rb index 0add2b3f875..06b0338b1ed 100644 --- a/lib/backup/manager.rb +++ b/lib/backup/manager.rb @@ -50,6 +50,7 @@ module Backup if directory.files.create(key: remote_target, body: File.open(tar_file), public: false, multipart_chunk_size: Gitlab.config.backup.upload.multipart_chunk_size, encryption: Gitlab.config.backup.upload.encryption, + encryption_key: Gitlab.config.backup.upload.encryption_key, storage_class: Gitlab.config.backup.upload.storage_class) progress.puts "done".color(:green) else diff --git a/spec/lib/backup/manager_spec.rb b/spec/lib/backup/manager_spec.rb index 9633caac788..ae1c881e1f6 100644 --- a/spec/lib/backup/manager_spec.rb +++ b/spec/lib/backup/manager_spec.rb @@ -266,6 +266,7 @@ describe Backup::Manager do remote_directory: 'directory', multipart_chunk_size: 104857600, encryption: nil, + encryption_key: nil, storage_class: nil } )