S3 Encryption With Porticor
Your Porticor appliance can encrypt data being stored to Amazon's Simple Storage Service (S3). Porticor is the only system available that offers the convenience of cloud-based hosted key management without sacrificing trust by requiring someone else to manage the keys. Porticor’s split-key encryption technology protects keys and guarantees they remain under customer control and are never exposed in storage; and with homomorphic key encryption, the keys are protected – even while they are in use.
A variety of applications use S3 to store bulk data, and we support two different ways of enabling Porticor encryption with them.
- The first and recommended alternative is to configure
the application so that data is written to and read from the
- Where this is not an option, you can instead configure host-to-IP mapping so that the application writing to s3.amazonaws.com actually writes to the appliance, which encrypts and forwards the data to S3.
These are two options to set up your environment, but the end result is one and the same: your data is encrypted when written to S3 and decrypted when reading from it, with no need to change the client application.
What follows are detailed instructions for both configuration
Alternative 1: Explicit Configuration
This alternative depends on the individual application. In fact some S3 clients are hardwired to the Amazon server addresses and cannot be configured. For these clients you must use Alternative 2.
A current limitation is that Alternative 1 can only be used for S3 Buckets in the US Standard region.
In this alternative you configure the S3 client to connect to a
special DNS address for each of your buckets and for the main S3
endpoint. These DNS addresses are installed automatically when you
add your S3 "buckets" into the table on the S3 Encryption page. All
buckets that are to be encrypted must be listed. If your bucket is
mylittlebucket, it will be mapped to the DNS
The specific client configuration depends on the particular
client. Following are two examples.
Edit the file
$HOME/.s3cfg, and replace the
host_bucketlines as below, where the long
host_basevalue is your appliance's address.
# old: # host_base = s3.amazonaws.com # host_bucket = %(bucket)s.s3.amazonaws.com # new: host_base = itbetb19zy3-pzjy3yty2zw.d.porticor.net host_bucket = %(bucket)s.d.porticor.net
$HOME/.s3ql/authinfo2, and add a new
[porticor] storage-url: s3c://itbetb19zy3-pzjy3yty2zw.d.porticor.net/bucket-name/ backend-login: aws-key-id backend-password: aws-secret-key
To create the file system, run:
mkfs.s3ql --plain --ssl s3://bucket-name/
mount.s3ql --ssl s3://bucket-name /mnt/cloud-drive
Note the use of the "s3c" URL method. Both the
--plain flags are
Alternative 2: Host Mapping
With this alternative you configure the host on which your S3 client is running, so that S3 API endpoints are resolved to the IP address of the Porticor appliance. You should not fill in the Bucket table in this alternative.
On Linux, edit the file
/etc/hostsand add the lines shown below.
On Windows, add these lines to
...\hosts, depending on your Windows version).
Appliance-IP bucketname.s3.amazonaws.com # replicate this line for each S3 bucket Appliance-IP s3.amazonaws.com # In addition to the above, add the following lines for non-US Standard buckets (change for the region where your bucket is located) Appliance-IP bucketname.s3-ap-southeast-2.amazonaws.com Appliance-IP s3-ap-southeast-2.amazonaws.com
Use the so-called "private" IP address (10.x.x.x) of the Porticor appliance, for access from within the EC2 cloud. If you plan to access the appliance from outside the cloud or even from another AWS region you will need to use "public" address instead. Both addresses are listed in the S3 Configuration GUI page.
All communication with the virtual appliance is SSL-protected.
In Alternative 2, enable the Porticor Certificate
Authority (PCA), on the Configuration page of the
appliance. Then, install your project's CA certificate as a Trusted
Root CA on the client machine. Failing to install the CA
certificate might result in the S3 client refusing to
- You need to wait a few minutes after the creation of a new bucket before starting to use it, so that it is recognized by all S3 servers.
- Note that Porticor does not support "mixed buckets" containing both protected and unprotected objects.
- Bucket names must conform with the requirements for DNS names, as recommended by Amazon Web Services. In particular they must not contain uppercase letters.