ActiveStorage & S3 Server-side Encryption

Nate Vick - March 26, 2020

TIL, it is possible to use S3 server-side encryption and ActiveStorage.

This commit to Rails in 2017 adds the ability but did not add documentation or an example of how to use the upload_options feature. Below is a vanilla S3 service config for ActiveStorage.

amazon:
  service: S3
  access_key_id: ACCESS_KEY_ID
  secret_access_key: SECRET_ACCESS_KEY
  region: us-east-1
  bucket: BUCKET

Here is a S3 service config using upload:

amazon:
  service: S3
  access_key_id: ACCESS_KEY_ID
  secret_access_key: SECRET_ACCESS_KEY
  region: us-east-1
  bucket: BUCKET
  upload: 
    server_side_encryption: 'aws:kms' # 'AES256'

The upload hash is passed to Aws::S3::Client#put_object(params = {}). One of the configuration options for put_object is :server_side_encryption (String). For more options checkout the Ruby SDK docs.

💡If you are using KMS keys, the bucket user will need the following policies:

"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:DescribeKey",
"kms:ReEncryptFrom"

To help other Rails devs, here is a PR to Rails to add the above example to the official guides.

Have a great day!

Nate Vick

Nate is partner and COO at Hint. He keeps the wheels turning, so to speak. In his free time he enjoys spending time with his wife and kids, hiking, and exploring new technology.

  
  
  

Ready to Get Started?

LET'S CONNECT