Skip to content

feat(objectstore): Add AWS SSE-KMS encryption support for S3 storage#57623

Open
cuppett wants to merge 1 commit intonextcloud:masterfrom
cuppett:feature/s3-kms-encryption
Open

feat(objectstore): Add AWS SSE-KMS encryption support for S3 storage#57623
cuppett wants to merge 1 commit intonextcloud:masterfrom
cuppett:feature/s3-kms-encryption

Conversation

@cuppett
Copy link
Contributor

@cuppett cuppett commented Jan 17, 2026
edited
Loading

Summary

Add support for Server-Side Encryption with AWS Key Management Service (SSE-KMS) for S3 object storage. This allows Nextcloud to encrypt data at rest in S3 using AWS-managed keys.

Key Features

  • New configuration options: sse_kms_enabled and sse_kms_key_id
  • Full SSE-KMS support: Both single-part and multipart uploads
  • Backward compatible: Existing SSE-C (customer-provided keys) continues to work
  • Priority handling: SSE-C takes precedence when both SSE-C and SSE-KMS are configured

Implementation Details

  • Added getServerSideEncryptionParameters() method to centralize encryption parameter logic for both SSE-C and SSE-KMS
  • Updated multipart uploads to use unified encryption parameters (fixes potential SSE-KMS multipart upload issues)
  • Added comprehensive PHPUnit test suite (S3SSEKMSTest.php) for SSE-KMS scenarios
  • Validated with real AWS KMS keys and S3 buckets

Configuration Example

'objectstore' => [
  'class' => 'OC\\Files\\ObjectStore\\S3',
  'arguments' => [
    'bucket' => 'my-bucket',
    'region' => 'us-east-1',
    'key' => 'ACCESS_KEY',
    'secret' => 'SECRET_KEY',
    // SSE-KMS Configuration
    'sse_kms_enabled' => true,
    'sse_kms_key_id' => 'arn:aws:kms:us-east-1:ACCOUNT:key/KEY-ID',
  ]
]

Testing

Manual Testing

Validated both SSE-KMS and SSE-C encryption with comprehensive file upload/download tests:

SSE-KMS Testing:

  • ✅ Small files (1KB, 1MB, 10MB) - single-part uploads
  • ✅ Large files (100MB, 500MB, 1GB) - multipart uploads
  • ✅ Verified `x-amz-server-side-encryption: aws:kms` headers on S3 objects
  • ✅ Verified `x-amz-server-side-encryption-aws-kms-key-id` contains correct KMS key ARN
  • ✅ All file integrity checks passed (md5sum matches)

SSE-C Backward Compatibility Testing:

  • ✅ Confirmed SSE-C still works after changes
  • ✅ Verified `SSECustomerAlgorithm: AES256` headers on SSE-C objects
  • ✅ Both single-part and multipart uploads work correctly
  • ✅ All file operations validated with checksum verification

PHPUnit Tests

  • ✅ All 16 existing S3 tests pass with SSE-C configuration
  • ✅ New `S3SSEKMSTest` class added with comprehensive SSE-KMS test coverage
  • ✅ Tests validate encryption parameter handling for both SSE-C and SSE-KMS

Files Changed

  • `lib/private/Files/ObjectStore/S3.php` - Added SSE-KMS configuration options
  • `lib/private/Files/ObjectStore/S3ConnectionTrait.php` - Implemented `getServerSideEncryptionParameters()`
  • `lib/private/Files/ObjectStore/S3ObjectTrait.php` - Updated multipart uploads to use unified encryption parameters
  • `apps/files_external/lib/Lib/Storage/AmazonS3.php` - Extended SSE-KMS support to external storage
  • `tests/lib/Files/ObjectStore/S3SSEKMSTest.php` - New comprehensive test suite

🤖 Generated with Claude Code

@cuppett cuppett requested a review from a team as a code owner January 17, 2026 13:25
@cuppett cuppett requested review from Altahrim, ArtificialOwl, icewind1991 and leftybournes and removed request for a team January 17, 2026 13:25
@cuppett cuppett force-pushed the feature/s3-kms-encryption branch from 0f7fb85 to ef987d4 Compare January 17, 2026 13:27
@cuppett cuppett force-pushed the feature/s3-kms-encryption branch 2 times, most recently from 4e657a9 to f734731 Compare January 23, 2026 22:06
@github-actions
Copy link
Contributor

github-actions bot commented Feb 1, 2026

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

@cuppett @claude
feat(objectstore): Add AWS SSE-KMS encryption support for S3 storage
fe1c9c5 
Add support for Server-Side Encryption with AWS Key Management Service
(SSE-KMS) for S3 object storage. This allows Nextcloud to encrypt data
at rest in S3 using AWS-managed keys.

Key features:
- New config options: sse_kms_enabled and sse_kms_key_id
- Backward compatible with existing SSE-C (customer-provided keys)
- SSE-C takes precedence when both SSE-C and SSE-KMS are configured

Implementation details:
- Added getServerSideEncryptionParameters() method to centralize
  encryption parameter logic for both SSE-C and SSE-KMS
- Updated multipart uploads to use unified encryption parameters
- Added comprehensive PHPUnit tests for SSE-KMS scenarios
- Tested with AWS bucket and KMS keys in us-east-1 region

Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
Signed-off-by: Stephen Cuppett <steve@cuppett.com>
@cuppett cuppett force-pushed the feature/s3-kms-encryption branch from 2f60d61 to fe1c9c5 Compare February 7, 2026 09:26
@cuppett
Copy link
Contributor Author

cuppett commented Feb 7, 2026

@icewind1991 Can this be reviewed or merged? This allows Nextcloud to drive which KMS key is used for server-side encryption (within S3). An AWS S3 bucket can be configured with a default key and mandatory encryption; however, this allows multiple nextcloud instances/tenants (potentially under different IAM user/roles) to share the same bucket with different prefixes and logical isolation with permission to different keys.

@cuppett
Copy link
Contributor Author

cuppett commented Feb 7, 2026

Also note, while preserved functionality here, AWS will remove SSE-C on April 6, 2026. We can do a separate PR to remove this (in some version) and then the existing logic can be refactored out:

https://aws.amazon.com/blogs/storage/advanced-notice-amazon-s3-to-disable-the-use-of-sse-c-encryption-by-default-for-all-new-buckets-and-select-existing-buckets-in-april-2026/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl is a code owner automatically assigned from nextcloud/server-backend

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 is a code owner automatically assigned from nextcloud/server-backend

@Altahrim Altahrim Awaiting requested review from Altahrim Altahrim is a code owner automatically assigned from nextcloud/server-backend

@leftybournes leftybournes Awaiting requested review from leftybournes leftybournes is a code owner automatically assigned from nextcloud/server-backend

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

3. to review Waiting for reviews enhancement feature: encryption (server-side) feature: external storage feature: object storage feedback-requested

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cuppett