« previous next »
Pages: [1]

Author Topic: S3 encryption with CMOD  (Read 554 times)

Norbert Novotny

  • Jr. Member
  • **
  • Posts: 46
    • View Profile
S3 encryption with CMOD
« on: August 28, 2023, 07:39:31 AM »
Hi guys,
Anyone does have any experience with CMOD connected to S3 and using SSE-C (S3 Server Side Encryption with Customer managed keys)?
Not sure if this is even possible, if so, please share some info on how to configure.

Thank you,
 N.
Logged
Norbert Novotny
Legal archiving - Swisscom AG

Mobile:  +41-On-request

Dev: #SQL, #Perl, #Java, #C

Interests: #CMOD, #Multiplatforms, #DB2, #Oracle, #TSM, #ERM, #Performance

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2230
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Re: S3 encryption with CMOD
« Reply #1 on: August 28, 2023, 09:38:40 AM »
Hi Norbert.

If you configure CMOD for Native Encryption, you should have the encryption keys on your CMOD server.

If you want your communications encrypted as well, you just need the certificate chain for your S3 storage and to configure it in your s3.cfg file.

Unless I'm missing something, it should be straightforward.

-JD.
Logged
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR

Norbert Novotny

  • Jr. Member
  • **
  • Posts: 46
    • View Profile
Re: S3 encryption with CMOD
« Reply #2 on: August 28, 2023, 12:10:11 PM »
Thanks Justin,
All that is already in place, sure.
However, this is the encryption on the storage level S3. This is where the 123FAAA will get written to the S3 and should be encrypted by S3 server with your keys.
(as far as my understanding of the process goes)
So, unless there is a way of configuring it via a "undocumented" parameter in the config/s3.cfg file or by convoluting the bucket name entry (something like: my_key_file_path@buckect_name [I am just making it up :-) ]) than I would say it won't work.
Yet, again for me this is steep learning curve, just started with encryption of S3.

Thx,
 N.
Logged
Norbert Novotny
Legal archiving - Swisscom AG

Mobile:  +41-On-request

Dev: #SQL, #Perl, #Java, #C

Interests: #CMOD, #Multiplatforms, #DB2, #Oracle, #TSM, #ERM, #Performance

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2230
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Re: S3 encryption with CMOD
« Reply #3 on: August 30, 2023, 01:30:23 AM »
If you're already using CMOD's Native encryption, there's no point is encrypting it a second time. it just adds overhead to all file operations...

If you're not using CMOD's Native Encryption...  You should!  It protects data from the moment it's loaded, and after that point, it shouldn't matter if it's accessible to the world as long as you can keep your encryption keys secret.  :D

Finally, if I understand you correctly, you're suggesting that you would provide the unencrypted documents, *and* the encryption key (which is also the decryption key!) to the S3 server for it to do the work?  That doesn't sound secure, since the key would leave your control on the CMOD server.

If you have any documentation or additional info on what you're trying to do, I'd love to read it.  The cloud is a very new and strange thing for those of us who have already been working in IT for nearly 30 years.  :D
Logged
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR
Pages: [1]
« previous next »