New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd: Add encrypt to enable enc/decrypt objects #2140
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2140 +/- ##
=========================================
- Coverage 8.9% 8.82% -0.09%
=========================================
Files 92 92
Lines 6870 7005 +135
=========================================
+ Hits 612 618 +6
- Misses 6126 6251 +125
- Partials 132 136 +4
Continue to review full report at Codecov.
|
Is this still a WIP @vadmeste ? |
I made more simple changes, this PR can be reviewed now. |
why is this needed? |
Keeping this waiting on @abperiasamy - its blocked to finalize the approach here. |
The size of an object in encrypted form is different from the original size. mc compares the size of the downloaded data (data are clear because minio-go decrypts the stream on the fly) and finds that the size of the downloaded stream is different to the size of the same object in the server (using client-fs.Stat() primitive) |
Any updates on this? Encrypt is a feature we're excited to leverage. |
@vadmeste after discussing with @abperiasamy - we decided that we don't need to do any config changes and it was simplified further. For the time being we will only support AES256 encryption on the client side which will also work with aes256-server when the server side implementation comes in. Only commands which require this change are listed below.
With this we can also support now FS to FS, FS to S3, S3 to FS decryption and encryption transparently. |
Unblocked this PR since we have finalized the approach. |
mc mirror with encryption capability is weird because sometimes the size of encrypted object size is different to the size of plain representation. I'll investigate more. |
Have seen stuff like this before, has to do with working on blocks of eg 32 or 64 byte size (depending on algorithm) whereby the final block is likely to be padded with zeros. (And so the encrypted stream may be a little longer). |
Yes. But you can't know the exact length of the plain data from the length of encrypted data (you can with the reverse way). Though as you said padding will make the size of the encrypted data little longer (the maximum is the original size + block size). I'll make the first step first then will see how to make this perfect. |
Closing this in favor of #2197 |
Fixes #2074