As best as I can tell, the only options for tuning encryption are 'passed through' to the underlying s3 (or compatible) API calls.
If it turns out that I'm wrong on that one, please let me know!
My question/request: allow use of symmetric encryption before the files leave the host and are sent off to the object store.
I think this could be as straight forward as passing in a key/cypher to the underlying archiver
The motivation: not all object stores support "BYO" key for bucket encryption and even if they do, you're still required to hand the sensitive key material off to the remote backend so that it can encrypt things for you. One of the simplest ways to address this is to encrypt objects before they're ever off the host.
Symmetric encryption is sufficient for "at rest, I need to know that I truly am the only person that can read it" needs.
As best as I can tell, the only options for tuning encryption are 'passed through' to the underlying
s3(or compatible) API calls.If it turns out that I'm wrong on that one, please let me know!
My question/request: allow use of symmetric encryption before the files leave the host and are sent off to the object store.
I think this could be as straight forward as passing in a key/cypher to the underlying archiver
The motivation: not all object stores support "BYO" key for bucket encryption and even if they do, you're still required to hand the sensitive key material off to the remote backend so that it can encrypt things for you. One of the simplest ways to address this is to encrypt objects before they're ever off the host.
Symmetric encryption is sufficient for "at rest, I need to know that I truly am the only person that can read it" needs.