add support for server side s3 managed encryption

Author: izolight

README.md

@@ -85,7 +85,8 @@ Possible JSON properties:
 - `unprotected_metrics`: optional, disable HTTP basic auth protection for Prometheus metrics endpoint
 - `s3.service_label`: optional, defines which service label backman will look for to find the S3-compatible object storage
 - `s3.bucket_name`: optional, bucket to use on S3 storage, backman will use service-instance/binding-name if not configured
-- `s3.encryption_key`: optional, defines the key which will be used to encrypt and decrypt backups as they are stored on the S3 can also be passed as an environment variable with the name `BACKMAN_ENCRYPTION_KEY`
+- `s3.encryption_key`: optional, defines the key which will be used to encrypt and decrypt backups as they are stored on the S3 can also be passed as an environment variable with the name `BACKMAN_ENCRYPTION_KEY`. This is done at the client-side
+- `s3.server_side_encryption`: optional, use s3 managed server side encryption (only possible value for now is "S3")
 - `services.<service-instance>.schedule`: optional, defines cron schedule for running backups
 - `services.<service-instance>.timeout`: optional, backman will abort a running backup/restore if timeout is exceeded
 - `services.<service-instance>.retention.days`: optional, specifies how long backman will keep backups on S3 at maximum for this service instance

config/config.go

@@ -3,6 +3,7 @@ package config
 import (
 	"encoding/json"
 	"errors"
+	"github.com/minio/minio-go/v6/pkg/encrypt"
 	"io/ioutil"
 	"log"
 	"os"
@@ -34,6 +35,7 @@ type S3Config struct {
 	ServiceName   string `json:"service_name"`
 	BucketName    string `json:"bucket_name"`
 	EncryptionKey string `json:"encryption_key"`
+	ServerSideEncryption string `json:"server_side_encryption"`
 }
 
 type ServiceConfig struct {
@@ -143,6 +145,12 @@ func Get() *Config {
 			if len(envConfig.S3.EncryptionKey) > 0 {
 				config.S3.EncryptionKey = envConfig.S3.EncryptionKey
 			}
+			if len(envConfig.S3.ServerSideEncryption) > 0 {
+				if envConfig.S3.ServerSideEncryption != encrypt.S3 {
+					log.Fatalln("only S3 mananged encryption(SSE-S3) is supported for now")
+				}
+				config.S3.ServerSideEncryption = envConfig.S3.ServerSideEncryption
+			}
 			for serviceName, serviceConfig := range envConfig.Services {
 				mergedServiceConfig := config.Services[serviceName]
 				if len(serviceConfig.Schedule) > 0 {
@@ -192,4 +200,4 @@ func Get() *Config {
 		}
 	})
 	return &config
-}
+}

s3/objects.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/md5"
 	"encoding/hex"
+	"github.com/minio/minio-go/v6/pkg/encrypt"
 	"io"
 	"io/ioutil"
 	"sort"
@@ -57,7 +58,12 @@ func (s *Client) UploadWithContext(ctx context.Context, object string, reader io
 		}
 	}
 
-	n, err := s.Client.PutObjectWithContext(ctx, s.BucketName, object, uploadReader, size, minio.PutObjectOptions{ContentType: "application/gzip"})
+	putOptions := minio.PutObjectOptions{ContentType: "application/gzip"}
+	if len(config.Get().S3.ServerSideEncryption) != 0 {
+		putOptions.ServerSideEncryption = encrypt.NewSSE()
+	}
+
+	n, err := s.Client.PutObjectWithContext(ctx, s.BucketName, object, uploadReader, size, putOptions)
 	if err != nil {
 		return err
 	}
@@ -80,6 +86,10 @@ func (s *Client) Download(object string) (io.Reader, error) {
 
 func (s *Client) DownloadWithContext(ctx context.Context, object string) (io.ReadCloser, error) {
 	log.Debugf("download S3 object [%s]", object)
+	getOptions := minio.GetObjectOptions{}
+	if len(config.Get().S3.ServerSideEncryption) != 0 {
+		getOptions.ServerSideEncryption = encrypt.NewSSE()
+	}
 	reader, err := s.Client.GetObjectWithContext(ctx, s.BucketName, object, minio.GetObjectOptions{})
 	if err != nil {
 		return nil, err