Description of problem: Objects encrypted with the SSE-KMS mode sync to other zones, but are stored in their unencrypted form. Because they retain their encryption attributes, attempts to read them from a secondary zone will decrypt the data again, returning garbage data to the client. How reproducible: All objects encrypted with SSE-KMS in a multisite configuration. Steps to Reproduce: 1. Set up a multisite configuration with two zones, including these additional values in ceph.conf: [client] rgw crypt require ssl = false rgw crypt s3 kms encryption keys = testkey=YmluCmJvb3N0CmJvb3N0LWJ1aWxkCmNlcGguY29uZgo= 2. Create a bucket on the primary zone 3. Upload an object (containing readable text) to that bucket on the primary zone, using these additional request headers: x-amz-server-side-encryption: aws:kms x-amz-server-side-encryption-aws-kms-key-id: testkey Actual results: The object syncs to the secondary zone, but its data does not match the readable text uploaded to the primary zone. Expected results: The synced object is stored on the secondary zone in its encrypted form. When read, the decrypted object data is returned to the client. Additional info: The sync request should fetch the object in its encrypted form.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:3387