Sign Up Free Log In
Why OFS? Features Pricing Docs FAQ

How To Set Up Server Side Encryption For AWS KMS

For ObjectiveFS release 7.0 and newer, please refer to this guide.

ObjectiveFS provides client-side encryption, which encrypts the data on your server before it is sent to the object store. The data stays encrypted in transit and at rest. The client-side encryption is always enabled.

For enterprise users, ObjectiveFS also supports server-side encryption on AWS using Amazon S3-managed encryption keys (SSE-S3) and AWS KMS-managed encryption keys (SSE-KMS). This guide describes how to set up ObjectiveFS to run with AMS KMS.

What You Need

Steps

  1. Install stunnel
$ yum install stunnel
  1. Edit /etc/stunnel/stunnel.conf with the following 4 lines:
[s3]
client=yes
accept=localhost:<port>   ## e.g. localhost:8086
connect=<endpoint>:443    ## e.g. s3.us-west-1.amazonaws.com:443

For list of endpoints, see here

  1. Run stunnel on your command line (or using your init tools)
$ stunnel
  1. In /etc/objectivefs.env, create a file named AWS_SERVER_SIDE_ENCRYPTION with content as:
    • aws:kms (if using the default KMS key)
$ cat /etc/objectivefs.env/AWS_SERVER_SIDE_ENCRYPTION
  aws:kms

* `<your kms key>` (if using a specific KMS key, e.g. `arn:aws:kms:12345/6789`)

$ cat /etc/objectivefs.env/AWS_SERVER_SIDE_ENCRYPTION
  arn:aws:kms:12345/6789

  1. In /etc/objectivefs.env, create a file named http_proxy with content as http://localhost:<port> (e.g. http://localhost:8086)

  2. Create a filesystem (one-time only) and mount the filesystem as usual

$ sudo mount.objectivefs create mybucket
$ sudo mount.objectivefs mybucket /ofs

Reference

by ObjectiveFS staff, September 18, 2022
ObjectiveFS is a shared file system for OS X and Linux that automatically scales and gives you scalable cloud storage. If you have questions or article idea suggestions, please email us at support@objectivefs.com

How To Mount an Instance Store on EC2 for Disk Cache

How To Restrict S3 Bucket Policy to Only One S3 Bucket