bulkio: allow user to request S3 server-side encryption

[rolandcrosby]

S3 offers transparent server-side encryption, which is enabled by setting a combination of x-amz-server-side-encryption headers on the PutObject request. We should allow the user to pass string values for these options, likely as S3 URL parameters. For full support of server-side encryption, we'd need to allow the user to specify values for the following headers (all of which appear to be available in the PutObjectInput type in the S3 Go SDK):

• x-amz-server-side-encryption
• x-amz-server-side-encryption-aws-kms-key-id
• x-amz-server-side-encryption-context
• x-amz-server-side​-encryption​-customer-algorithm
• x-amz-server-side​-encryption​-customer-key
• x-amz-server-side​-encryption​-customer-key-MD5

[rolandcrosby]

S3 Default Encryption mostly makes this irrelevant. We will reopen if there is significant customer demand to pass custom options for this in the future.

[adityamaru]

Fleshing out some details here:
AWS supports two forms of SSE - AES256 and KMS

KMS requires:
x-amz-server-side-encryption set to aws:kms
x-amz-server-side-encryption-aws-kms-key-id set to the ID referencing the KMS CMK

AES 256 requires:
x-amz-server-side-encryption set to AES256 if the customer is okay with amazon managed encryption keys.

OR if the customer would like to specify a custom key and MD5 then:
x-amz-server-side​-encryption​-customer-algorithm must be set to AES256 along with
x-amz-server-side​-encryption​-customer-key, x-amz-server-side​-encryption​-customer-key-MD5.

No other customer algorithm is supported by AWS according to https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeysSSEUsingRESTAPI.html. The question boils down to what subset of these options would we like to support when writing to external storage? The decision on whether to use URI params or stringy WITH options can be based on the degree of flexibility we need.