Allow encryption method to be configurable #21
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://eaflood.atlassian.net/browse/RUBY-1156 We recently switched the encryption method we use on the gem from AES256 to AWS:KMS. From our testing there was no issues with this. However, after deploying this change to a live environment it has caused problems for 3rd parties trying to access our exported files. They use different AWS credentials to access the files, and these credentials we have found need access to the same KMS key against our credentials (and used for encryption) to decrypt the files. This has further implications that need consideration. So short term we need to revert back to AES256. Longer term we would like to switch back. So this change is about updating the gem to make the encryption method configurable.
Reset back to always using AES256. But update the tests to encompass our new option to use AWS:KMS
Updated the name of the property on the bucket to match the terminology used by AWS (see https://docs.aws.amazon.com/sdk-for-ruby/v2/api/Aws/S3/Types/Encryption.html#encryption_type-instance_method) Also updated the config property name to be clearer and simpler to use. Finally updated our logic around the arg to handle the value being set as either a string or a boolean. Previous version was just relying on something being there.
Doing this ahead of adding some for the encryption type. Made sense if I felt the need to cover encryption type we should also be covering region.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://eaflood.atlassian.net/browse/RUBY-1156
We recently switched the encryption method we use on the gem from AES256 to AWS:KMS. From our testing there was no issues with this. However, after deploying this change to a live environment it has caused problems for 3rd parties trying to access our exported files.
They use different AWS credentials to access the files, and these credentials we have found need access to the same KMS key against our credentials (and used for encryption) to decrypt the files.
This has further implications that need consideration. So short term we need to revert back to AES256. Longer term we would like to switch back.
So this change is about updating the gem to make the encryption method configurable.