Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to copy a file encrypted with customer-supplied key to a file without customer-supplied key #2575

Open
rossj opened this issue Jan 22, 2025 · 0 comments
Open

Ability to copy a file encrypted with customer-supplied key to a file without customer-supplied key #2575

rossj opened this issue Jan 22, 2025 · 0 comments
Labels
api: storage Issues related to the googleapis/nodejs-storage API. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@rossj
Copy link

rossj commented Jan 22, 2025
edited
Loading

A screenshot that you have tested with "Try this API".

Not possible, as the "Try this method" GUI does not allow setting the necessary optional extension headers.

What would you like to see in the library?

While using the file.copy() method, I would like a way to copy a file encrypted with a customer-supplied encryption key (CSEK) to a file that is not encrypted with a CSEK (e.g., using Google default encryption for destination file). This is not currently possible, as the source file's key is copied to the destination file object and reused. I believe this is the result of the library's code and not the API.

In more detail, it is currently possible to copy a file and change the CSEK, as follows:

const srcFile = bucket.file('my-file1').setEncryptionKey('a'.repeat(32));

await bucket.upload(filePath, {
	destination: srcFile,
});

// Metadata will indicate CSEK with customerEncryption
const [srcMeta] = await srcFile.getMetadata(); 

// Note we are using a different key here:
const dstFile = bucket.file('my-file-2').setEncryptionKey('b'.repeat(32));

await srcFile.copy(dstFile);

// Metadata will indicate a CSEK with customerEncryption, and a different customerEncryption.keySha256 value.
const [dstMeta] = await dstFile.getMetadata();

However, I don't think it's currently possible to avoid setting a CSEK on the dstFile. Consider the behavior with this:

const srcFile = bucket.file('my-file1').setEncryptionKey('a'.repeat(32));

await bucket.upload(filePath, {
	destination: srcFile,
});

// Metadata will indicate CSEK with `customerEncryption`
const [srcMeta] = await srcFile.getMetadata(); 

// Note we are purposely not setting a key for the dst file
const dstFile = bucket.file('my-file-2');

await srcFile.copy(dstFile);

// Metadata will indicate a CSEK with customerEncryption, and the same customerEncryption.keySha256 as the source (key is reused).
const [dstMeta] = await dstFile.getMetadata();

Describe alternatives you've considered

I've tried to explicitly set a null or empty-string key on the dstFile, but that gives a "Missing an encryption key, or it is not base64 encoded, or it does not meet the required length of the encryption algorithm." error.

Perhaps as a solution, the library could keep the current key-copying / reusing behavior if setEncryptionKey() is not called on the destination file, but allow explicitly setting a null key for the dstFile to avoid the key copying.

Additional context/notes

No response
@product-auto-label product-auto-label bot added the api: storage Issues related to the googleapis/nodejs-storage API. label Jan 22, 2025
@ddelgrosso1 ddelgrosso1 added the type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. label Jan 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api: storage Issues related to the googleapis/nodejs-storage API. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rossj @ddelgrosso1