replace SSE-C key derivation scheme (#5168)

This chnage replaces the current SSE-C key derivation scheme. The 'old' scheme derives an unique object encryption key from the client provided key. This key derivation was not invertible. That means that a client cannot change its key without changing the object encryption key. AWS S3 allows users to update there SSE-C keys by executing a SSE-C COPY with source == destination. AWS probably updates just the metadata (which is a very cheap operation). The old key derivation scheme would require a complete copy of the object because the minio server would not be able to derive the same object encryption key from a different client provided key (without breaking the crypto. hash function). This change makes the key derivation invertible.
2026-02-04 18:00:15 -05:00 · 2017-11-11 02:21:23 +01:00
parent 16ecaac4fc
commit a79a7e570c
3 changed files with 123 additions and 86 deletions
--- a/cmd/generic-handlers_test.go
+++ b/cmd/generic-handlers_test.go
@@ -157,11 +157,11 @@ var containsReservedMetadataTests = []struct {
 		shouldFail: true,
 	},
 	{
-		header:     http.Header{ServerSideEncryptionKDF: []string{SSEKeyDerivationHmacSha256}},
+		header:     http.Header{ServerSideEncryptionSealAlgorithm: []string{SSESealAlgorithmDareSha256}},
 		shouldFail: true,
 	},
 	{
-		header:     http.Header{ServerSideEncryptionKeyMAC: []string{"mac"}},
+		header:     http.Header{ServerSideEncryptionSealedKey: []string{"mac"}},
 		shouldFail: true,
 	},
 	{