Unexpected behavior: is the encryption key being used correctly?

[bufadu]

Hi,

I am currently testing s3proxy. AWS S3 as the backend, and s3proxy is hosted on a K8S cluster.

During basic tests, I wrote some files, read them back, and then attempted to change the encryption key to ensure that I would no longer be able to access them. However, to my surprise, I could still read the encrypted files.

Since the S3PROXY_ENCRYPT_KEY environment variable is correctly set, I added some debug print() statements.

In the router.go file, I edited New() as follows:

func New(region, endpoint string, forwardMultipartReqs bool, log *logger.Logger) (Router, error) {
	result, err := config.GetEncryptKey()
	if err != nil {
		return Router{}, err
	}
	kekArray := generateKEKFromString(result)
	fmt.Printf("key SHA256: %x\n", kekArray) //<-- just added this line
	return Router{region: region, kek: kekArray, forwardMultipartReqs: forwardMultipartReqs, log: log}, nil
}

And in the Encrypt() and Decrypt() functions of the crypto.go file, I simply added:

fmt.Println("Encrypt kek:", kek[:])
// and
fmt.Println("Decrypt kek:", kek[:])

Here are the logs I obtained:

key SHA256: 46d6079c36a048081b8c03f53b3f86ede99b04e68f43c678458878e48f8c15f6
time="2025-03-18T14:36:03Z" level=info msg=listening ip=0.0.0.0 port=4433 region=
time="2025-03-18T14:36:03Z" level=warning msg="TLS is disabled"
time="2025-03-18T14:37:17Z" level=debug msg=intercepting host=s3proxy.default.svc method=PUT path=/xxxxxxxx-xxxxxxxx-eu-west-3-files/wks/enc/grrr
time="2025-03-18T14:37:17Z" level=debug msg=putObject bucket=xxxxxxxx-xxxxxxxx-eu-west-3-files key=wks/enc/grrr requestID=ac331332-ffc3-4cff-a5cb-52a3ef3779d9
Encrypt kek: [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]
time="2025-03-18T14:37:31Z" level=debug msg=forwarding host=s3proxy.default.svc method=HEAD path=/xxxxxxxx-xxxxxxxx-eu-west-3-files/wks/enc/grrr
time="2025-03-18T14:37:31Z" level=debug msg=intercepting host=s3proxy.default.svc method=GET path=/xxxxxxxx-xxxxxxxx-eu-west-3-files/wks/enc/grrr
time="2025-03-18T14:37:31Z" level=debug msg=getObject bucket=xxxxxxxx-xxxxxxxx-eu-west-3-files key=wks/enc/grrr requestID=ae919b62-a6c9-48f5-a27a-d2ce271dc25b
Decrypt kek: [0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]

The key passed to the Encrypt() and Decrypt() functions is empty! That explains why, when I change the value of S3PROXY_ENCRYPT_KEY, I can still access the files: no matter which key is set, the dek are encrypted with a null key..

What did I miss?

My understanding of Go is quite limited, but given that the object struct is instantiated in the handleGetObject() and handlePutObject() functions without setting the kek variable, it makes sense that it remains empty in Encrypt() and Decrypt(). Am I wrong?

Thanks in advance!

[quaternion7]

Indeed the KEK was not passed along too the handler methods in handler.go (called from router.go).
Even tho the object struct defined in object.go has the kek field, its not passed/set in the handler functions such as handleGetObject and handlePutObject.
So the object struct initializes the kek [32]bytes as just zeroes.

[slig2008]

I have created another fork here which does include a fix for the use of the KEK (thanks to @ynsta) and should now be working as expected.

I am happy to bring the code back into this very origin, however, I sense this kind of isn't maintained any more...