ActiveStorage & S3 Server-side Encryption

natevick

Nate Vick

Posted on March 26, 2020

ActiveStorage & S3 Server-side Encryption

Originally posted on Hint's blog.

TIL, it is possible to use S3 server-side encryption and ActiveStorage.

This commit to Rails in 2017 adds the ability but did not add documentation or an example of how to use the upload_options feature. Below is a vanilla S3 service config for ActiveStorage.

amazon:
  service: S3
  access_key_id: ACCESS_KEY_ID
  secret_access_key: SECRET_ACCESS_KEY
  region: us-east-1
  bucket: BUCKET
Enter fullscreen mode Exit fullscreen mode

Here is a S3 service config using upload:

amazon:
  service: S3
  access_key_id: ACCESS_KEY_ID
  secret_access_key: SECRET_ACCESS_KEY
  region: us-east-1
  bucket: BUCKET
  upload: 
    server_side_encryption: 'aws:kms' # 'AES256'
Enter fullscreen mode Exit fullscreen mode

The upload hash is passed to Aws::S3::Client#put_object(params = {}). One of the configuration options for put_object is :server_side_encryption (String). For more options checkout the Ruby SDK docs.

💡If you are using KMS keys, the bucket user will need the following policies:

"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:ReEncryptFrom"
Enter fullscreen mode Exit fullscreen mode

To help other Rails devs, here is a PR to Rails to add the above example to the official guides.

Have a great day!

💖 💪 🙅 🚩
natevick
Nate Vick

Posted on March 26, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related