DEV Community

Cover image for ActiveStorage & S3 Server-side Encryption
Hint profile image Nate Vick
Nate Vick for Hint

Posted on

ActiveStorage & S3 Server-side Encryption

#rails #showdev #aws

Originally posted on Hint's blog.

TIL, it is possible to use S3 server-side encryption and ActiveStorage.

This commit to Rails in 2017 adds the ability but did not add documentation or an example of how to use the upload_options feature. Below is a vanilla S3 service config for ActiveStorage.

amazon: service: S3 access_key_id: ACCESS_KEY_ID secret_access_key: SECRET_ACCESS_KEY region: us-east-1 bucket: BUCKET
Enter fullscreen mode Exit fullscreen mode

Here is a S3 service config using upload:

amazon: service: S3 access_key_id: ACCESS_KEY_ID secret_access_key: SECRET_ACCESS_KEY region: us-east-1 bucket: BUCKET upload: server_side_encryption: 'aws:kms' # 'AES256'
Enter fullscreen mode Exit fullscreen mode

The upload hash is passed to Aws::S3::Client#put_object(params = {}). One of the configuration options for put_object is :server_side_encryption (String). For more options checkout the Ruby SDK docs.

💡If you are using KMS keys, the bucket user will need the following policies:

"kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:ReEncryptTo", "kms:DescribeKey", "kms:ReEncryptFrom"
Enter fullscreen mode Exit fullscreen mode

To help other Rails devs, here is a PR to Rails to add the above example to the official guides.

Have a great day!

Top comments (2)

Collapse
 
kyleboe profile image
Kyle Boe

+1 for the PR to Rails!

nice.gif

Collapse
 
benjaminwood profile image
Benjamin Wood

Nice, your documentation PR was merged!