Originally posted on Hint's blog.
TIL, it is possible to use S3 server-side encryption and ActiveStorage.
This commit to Rails in 2017 adds the ability but did not add documentation or an example of how to use the upload_options feature. Below is a vanilla S3 service config for ActiveStorage.
amazon:
service: S3
access_key_id: ACCESS_KEY_ID
secret_access_key: SECRET_ACCESS_KEY
region: us-east-1
bucket: BUCKET
Here is a S3 service config using upload:
amazon:
service: S3
access_key_id: ACCESS_KEY_ID
secret_access_key: SECRET_ACCESS_KEY
region: us-east-1
bucket: BUCKET
upload:
server_side_encryption: 'aws:kms' # 'AES256'
The upload hash is passed to Aws::S3::Client#put_object(params = {}). One of the configuration options for put_object is :server_side_encryption (String). For more options checkout the Ruby SDK docs.
💡If you are using KMS keys, the bucket user will need the following policies:
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:ReEncryptFrom"
To help other Rails devs, here is a PR to Rails to add the above example to the official guides.
Have a great day!
Top comments (2)
+1 for the PR to Rails!
Nice, your documentation PR was merged!