Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
The S3 repository module does not currently allow for client-side encryption of backup data before sending it to S3 (or decrypting after receiving the information).
The AWS S3 SDK makes it very easy to enable client-side encryption. You have the option of using:
- An AWS KMS key to encrypt/decrypt the data
- A custom root key provided to Solr, not specific to AWS
I think enabling both of these options would be great, and really the only things necessary to do are:
- Add the config options so that users can specify clientSideEncryption options via their solr.xml
- Change the AWS client to be an AmazonS3EncryptionClient, and then all operations using the client will automatically be encrypted/decrypted.