Paperclip S3 encryption rails

Mine is more of a question than a code problem, I have been trying to read about this for a while and I have not found an answer. My question is if amazon S3 automatically encrypts the data when it is uploaded to it or do we have to encrypt the data before we up load to S3. If we have to encrypt the data before we upload it can anyone recommend what gem to use and how.

Answers


It is not my experience that all files uploaded to S3 are encrypted by default.

Certainly this is not the case with Paperclip 3.3.1, as the S3 web console shows 'Server Side Encryption: None' for a document uploaded by this version with default attachment options.

However, Paperclip does support adding the x-amz-server-side-encryption header to the upload request via the s3_server_side_encryption option.

has_attached_file :file, s3_permissions: :private,
                         s3_server_side_encryption: :aes256

Should result in the desired behavior, but it doesn't. The following works, by manually setting this header, until pull request 1398 is merged, making the above work as expected.

has_attached_file :file, s3_permissions: :private,
                         s3_headers: { "x-amz-server-side-encryption" => "AES256" }

I confirmed that this 2nd configuration results in 'Server Side Encryption: AES-256' being indicated in the web console. Also confirmed using the fork referenced in the pull request and the first code snippet.

I added a wiki page for this, as documentation was lacking.

Paperclip Wiki Document on Encryption AWS SSE Doc Originating Paperclip Issue


All S3 content is encrypted by default. As additional security measurement you can encrypt it on your own. You can use for example this : https://github.com/tcnijmeijer/aws-s3-cse for client side encryption.

Here is Amazon S3 documentation mentioning client-side encryption : http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html


Need Your Help

SBCL - Package lock all Quicklisp libraries as they are loaded?

package lisp common-lisp sbcl quicklisp

Can I automatically package-lock libraries as they are loaded by Quicklisp? I want every package locked. Can I do this?