Skip to content

feat(objectstore): Add AWS SSE-KMS encryption support for S3 storage #57623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cuppett wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(objectstore): Add AWS SSE-KMS encryption support for S3 storage #57623

cuppett wants to merge 1 commit into from
+489 −17

Conversation

@cuppett
Copy link
Contributor

@cuppett cuppett commented Jan 17, 2026
edited
Loading

Summary

Add support for Server-Side Encryption with AWS Key Management Service (SSE-KMS) for S3 object storage. This allows Nextcloud to encrypt data at rest in S3 using AWS-managed keys.

Key Features

  • New configuration options: sse_kms_enabled and sse_kms_key_id
  • Full SSE-KMS support: Both single-part and multipart uploads
  • Backward compatible: Existing SSE-C (customer-provided keys) continues to work
  • Priority handling: SSE-C takes precedence when both SSE-C and SSE-KMS are configured

Implementation Details

  • Added getServerSideEncryptionParameters() method to centralize encryption parameter logic for both SSE-C and SSE-KMS
  • Updated multipart uploads to use unified encryption parameters (fixes potential SSE-KMS multipart upload issues)
  • Added comprehensive PHPUnit test suite (S3SSEKMSTest.php) for SSE-KMS scenarios
  • Validated with real AWS KMS keys and S3 buckets

Configuration Example

'objectstore' => [
  'class' => 'OC\\Files\\ObjectStore\\S3',
  'arguments' => [
    'bucket' => 'my-bucket',
    'region' => 'us-east-1',
    'key' => 'ACCESS_KEY',
    'secret' => 'SECRET_KEY',
    // SSE-KMS Configuration
    'sse_kms_enabled' => true,
    'sse_kms_key_id' => 'arn:aws:kms:us-east-1:ACCOUNT:key/KEY-ID',
  ]
]

Testing

Manual Testing

Validated both SSE-KMS and SSE-C encryption with comprehensive file upload/download tests:

SSE-KMS Testing:

  • ✅ Small files (1KB, 1MB, 10MB) - single-part uploads
  • ✅ Large files (100MB, 500MB, 1GB) - multipart uploads
  • ✅ Verified `x-amz-server-side-encryption: aws:kms` headers on S3 objects
  • ✅ Verified `x-amz-server-side-encryption-aws-kms-key-id` contains correct KMS key ARN
  • ✅ All file integrity checks passed (md5sum matches)

SSE-C Backward Compatibility Testing:

  • ✅ Confirmed SSE-C still works after changes
  • ✅ Verified `SSECustomerAlgorithm: AES256` headers on SSE-C objects
  • ✅ Both single-part and multipart uploads work correctly
  • ✅ All file operations validated with checksum verification

PHPUnit Tests

  • ✅ All 16 existing S3 tests pass with SSE-C configuration
  • ✅ New `S3SSEKMSTest` class added with comprehensive SSE-KMS test coverage
  • ✅ Tests validate encryption parameter handling for both SSE-C and SSE-KMS

Files Changed

  • `lib/private/Files/ObjectStore/S3.php` - Added SSE-KMS configuration options
  • `lib/private/Files/ObjectStore/S3ConnectionTrait.php` - Implemented `getServerSideEncryptionParameters()`
  • `lib/private/Files/ObjectStore/S3ObjectTrait.php` - Updated multipart uploads to use unified encryption parameters
  • `apps/files_external/lib/Lib/Storage/AmazonS3.php` - Extended SSE-KMS support to external storage
  • `tests/lib/Files/ObjectStore/S3SSEKMSTest.php` - New comprehensive test suite

🤖 Generated with Claude Code

@cuppett cuppett requested a review from a team as a code owner January 17, 2026 13:25
@cuppett cuppett requested review from Altahrim, ArtificialOwl, icewind1991 and leftybournes and removed request for a team January 17, 2026 13:25
@cuppett @claude
feat(objectstore): Add AWS SSE-KMS encryption support for S3 storage
ef987d4 
Add support for Server-Side Encryption with AWS Key Management Service
(SSE-KMS) for S3 object storage. This allows Nextcloud to encrypt data
at rest in S3 using AWS-managed keys.

Key features:
- New config options: sse_kms_enabled and sse_kms_key_id
- Backward compatible with existing SSE-C (customer-provided keys)
- SSE-C takes precedence when both SSE-C and SSE-KMS are configured

Implementation details:
- Added getServerSideEncryptionParameters() method to centralize
  encryption parameter logic for both SSE-C and SSE-KMS
- Updated multipart uploads to use unified encryption parameters
- Added comprehensive PHPUnit tests for SSE-KMS scenarios
- Tested with AWS bucket and KMS keys in us-east-1 region

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
Signed-off-by: Stephen Cuppett <steve@cuppett.com>
@cuppett cuppett force-pushed the feature/s3-kms-encryption branch from 0f7fb85 to ef987d4 Compare January 17, 2026 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl is a code owner automatically assigned from nextcloud/server-backend

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 is a code owner automatically assigned from nextcloud/server-backend

@Altahrim Altahrim Awaiting requested review from Altahrim Altahrim is a code owner automatically assigned from nextcloud/server-backend

@leftybournes leftybournes Awaiting requested review from leftybournes leftybournes is a code owner automatically assigned from nextcloud/server-backend

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cuppett