Add OBJECTSTORE_S3_SSE_C_KEY environment variable to use S3 SSE-C encryption (server side encryption)

[jessebot]

Thanks to everyone who maintains this repo!

I recently learned I could pass in env vars for using S3 as the primary object store, but I was missing the encryption key.

This PR would add an environment variable called OBJECTSTORE_S3_SSE_C_KEY to the docs and if set, it will be used to provide the sse_c_key argument to the $CONFIG array in s3.config.php. If the user doesn't provide OBJECTSTORE_S3_SSE_C_KEY, we don't set ss3_c_key, because it has no default.

It's mentioned in the docs here:

Nextcloud supports server side encryption, also known as SSE-C, with compatible S3 bucket provider. The encryption and decryption happens on the S3 bucket side with a key provided by the Nextcloud server.

The key can be specified with the sse_c_key parameter which needs to be provided as a base64 encoded string with a maximum length of 32 bytes. A random key could be generated using the the following command:

openssl rand 32 | base64

[joshtrichards]

Hi @jessebot - Thanks for including the matching README update. :-)

This variable should get _FILE (Docker secrets) support too if we're going to do it. Feel up for adding it? Can be modeled after the others at the same spot in the code.

[jessebot]

Suggested change

	- `OBJECTSTORE_S3_SSE_C_KEY`: Server side encryption key - must be a base64 encoded string with a maximum length of 32 bytes
	- `OBJECTSTORE_S3_SSE_C_KEY`: _Optional_ Server side encryption key - must be a base64 encoded string with a maximum length of 32 bytes

We might want to include the word optional, so users know it is not required.

[pathob]

The existing wording in the README is (not set by default) - not _Optional_. Could you please add it to your PR?

[jessebot]

Hi @jessebot - Thanks for including the matching README update. :-)

This variable should get _FILE (Docker secrets) support too if we're going to do it. Feel up for adding it? Can be modeled after the others at the same spot in the code.

No problem :) I can take a look the docker secrets now

[jessebot]

@joshtrichards I've added the OBJECTSTORE_S3_SSE_C_KEY_FILE env var support as well. Let me know if I can help with anything else :)

[jessebot]

do these jobs normally pass? @joshtrichards They look like they're failing on not having the hostname set. I took a quick peak at the github action workflows for these and couldn't find where we set any sort of env vars. Happy to update them if you can point me in the right direction.

[jessebot]

please let me know if there's anything I can do to help more this forward.

[pathob]

Hi @jessebot , I'm not a maintainer here, but highly interested in this change, so I would like to help moving it forward. I've added two suggestions that might help get this merged. It would be great if you could make these two small adjustments. Thank you!

[pathob]

IMHO this block should go to the end of the file since OBJECTSTORE_S3_KEY_FILE and OBJECTSTORE_S3_SECRET_FILE have much more relevance than this.

[pathob]

The existing wording in the README is (not set by default) - not _Optional_. Could you please add it to your PR?

[pathob]

I've tried to run it... there is a third closing bracket ) missing at the end

[J0WI]

closing in favour of #2151

[jessebot]

Hi @jessebot , I'm not a maintainer here, but highly interested in this change, so I would like to help moving it forward. I've added two suggestions that might help get this merged. It would be great if you could make these two small adjustments. Thank you!

Sorry for missing this, but thank you for carrying the torch to the finish line! 🙏 Glad to see the feature implemented :)