loading...
Cover image for ActiveStorage & S3 Server-side Encryption
Hint

ActiveStorage & S3 Server-side Encryption

natevick profile image Nate Vick ・1 min read

Originally posted on Hint's blog.

TIL, it is possible to use S3 server-side encryption and ActiveStorage.

This commit to Rails in 2017 adds the ability but did not add documentation or an example of how to use the upload_options feature. Below is a vanilla S3 service config for ActiveStorage.

amazon:
  service: S3
  access_key_id: ACCESS_KEY_ID
  secret_access_key: SECRET_ACCESS_KEY
  region: us-east-1
  bucket: BUCKET

Here is a S3 service config using upload:

amazon:
  service: S3
  access_key_id: ACCESS_KEY_ID
  secret_access_key: SECRET_ACCESS_KEY
  region: us-east-1
  bucket: BUCKET
  upload: 
    server_side_encryption: 'aws:kms' # 'AES256'

The upload hash is passed to Aws::S3::Client#put_object(params = {}). One of the configuration options for put_object is :server_side_encryption (String). For more options checkout the Ruby SDK docs.

💡If you are using KMS keys, the bucket user will need the following policies:

"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:ReEncryptFrom"

To help other Rails devs, here is a PR to Rails to add the above example to the official guides.

Have a great day!

Discussion

pic
Editor guide
Collapse
kyleboe profile image
Kyle Boe

+1 for the PR to Rails!

nice.gif

Collapse
benjaminwood profile image
Benjamin Wood

Nice, your documentation PR was merged!