How To Set Up Server Side Encryption For AWS KMS
ObjectiveFS provides client-side encryption, which encrypts the data on your server before it is sent to the object store. The data stays encrypted in transit and at rest. The client-side encryption is always enabled.
For business and enterprise users, ObjectiveFS also supports server-side encryption on AWS using Amazon S3-managed encryption keys (SSE-S3) and AWS KMS-managed encryption keys (SSE-KMS). This guide describes how to set up ObjectiveFS to run with AMS KMS.
What You Need
- ObjectiveFS installed
- Your AWS KMS key (not needed if using AWS-KMS with default S3 key)
- Set up your objectivefs environment directory (e.g. /etc/objectivefs.env) (see configstep)
Steps
-
Install stunnel
$ yum install stunnel -
Edit /etc/stunnel/stunnel.conf with the following 4 lines:
For list of endpoints, see here[s3] client=yes accept=localhost:<port> ## e.g. localhost:8086 connect=<endpoint>:443 ## e.g. s3-us-west-1.amazonaws.com:443 -
Run stunnel on your command line (or using your init tools)
$ stunnel -
In /etc/objectivefs.env, create a file named
AWS_SERVER_SIDE_ENCRYPTIONwith content as:-
aws:kms(if using the default KMS key)$ cat /etc/objectivefs.env/AWS_SERVER_SIDE_ENCRYPTION aws.kms -
<your kms key>(if using a specific KMS key, e.g.arn:aws:kms:12345/6789)$ cat /etc/objectivefs.env/AWS_SERVER_SIDE_ENCRYPTION arn:aws:kms:12345/6789
-
-
In /etc/objectivefs.env, create a file named
http_proxywith content ashttp://localhost:<port>(e.g. http://localhost:8086) -
Create a filesystem(one-time only) and mount the filesystemas usual
$ sudo mount.objectivefs create mybucket $ sudo mount.objectivefs mybucket /ofs
Reference
- Server Side Encryptionsection in User Guide
by ObjectiveFS staff, January 6, 2016
ObjectiveFS is a shared file system for OS X and Linux that automatically scales and gives you scalable cloud storage. If you have questions or article idea suggestions, please email us at
お問い合わせはこちら
Related articles:
