Skip to main content

Access Key

If you intend to use CLI or API for accessing your data on EOS, you will need to define bucket permissions.

Customers can create access keys using Manage Access Keys and the Permissions tab.

Create Access Key

You can create an access key from the Permissions tab on the Bucket details page or the Manage access page.

Access 01

  1. Enter a name for your access key. This can be an application name, project name, or a team member name.
  2. Click Generate Key.
  3. If all goes well, you will see newly generated access and secret keys.
  4. Keep a note of both these keys, as you will not see them again after you close the modal window.
  5. If you have mc set up, then use the given command to configure CLI for this access key.
tip

Choose a short name for the access key as you will be entering this for each command that you type in CLI.

Manage Access

Sometimes you may need to disable access for certain users or target applications. The way to do that is to lock their access key from the manage access page.

Access 06

  1. Go to Products > Storage Storage option in the sidebar menu.
  2. Click Manage Access Key.
  3. Identify the access you want to lock using the key name.
  4. Click the lock icon as desired.

To unlock, follow the same steps above except this time you will see an unlock icon instead of lock.

Using Manage Access Key

Using the manage access key, you need to click on the Manage Access Keys button.

Access 02

Access 03

Access 05

Access 07

Access 08

Actions in Manage Access Key

Customers can perform two actions in Access key: Lock, Unlock, and Delete.

Access 09

Access 10

Access 11

Access 12

Access 13

  1. Go to Products > Storage option in the sidebar menu.

  2. Choose any bucket or create a new one.

  3. Click the permission tab; it will be opened for the selected bucket.

  4. Click the Create access key button.

  5. Enter a name for your access key. This can be an application name, project name, or a team member name.

  6. Choose an access key or create an access key.

  7. Assign a role:

    RoleDescription
    bucket admincan read, write, manage
    bucket writercan read, write
    bucket readercan read

Access 14

Access 15

Access 16

Access 17

Access 18

Public Access Config

Using Public access config, we give the permissions of Upload, Download, Upload & Download, and Private for the objects using URL. To enable this, you need to click on the Public Access Config button and select the permission you want to give.

Access 19

Access 20

Access 21

Object Storage 33

Access 22

Protect Your Bucket Data With Encryption

Introduction: The procedure on this page configures and enables Server-Side Encryption with Client-Managed Keys (SSE-C). EOS SSE-C supports client-driven encryption of objects before writing the object to the drive. Clients must specify the correct key to decrypt objects for read operations.

Prerequisite

  • The mc client is required to encrypt an object (How to install mc client).
  • The SSE-C key must be a 256-bit base64-encoded string.
  • The client application is responsible for the generation and storage of the encryption key.
  • EOS does not store SSE-C encryption keys and cannot decrypt SSE-C encrypted objects without the client-managed key.

1) Generate the Encryption Key

First of all, an encryption key is required. You can generate the encryption using the following command:

cat /dev/urandom | head -c 32 | base64 -
  • It is important to notice that a 256-bit base64-encoded string should be used.
  • Save the encryption key for future reference.

2) Encrypt and Copy Object into Bucket Using Encryption Key

To encrypt an object using the mc client, refer to the following command:

 mc cp ~/source_path/my_object.json ALIAS/BUCKET/my_object.json \
--encrypt-key "ALIAS/BUCKET/=ENCRYPTION_KEY"
  • Replace ALIAS with the key_name used while configuring the mc client on which you want to write the SSE-C encrypted object.

  • Replace BUCKET with the full path to the bucket or bucket prefix to which you want to write the SSE-C encrypted object.

  • Replace ENCRYPTION_KEY with the key generated in the first step.

3) Copy an SSE-C Encrypted Object Between Two Buckets

EOS also supports copying an SSE-C encrypted object to another S3-compatible service:

 mc cp SOURCE/BUCKET/mydata.json TARGET/BUCKET/mydata.json  \
--encrypt-key \
"SOURCE/BUCKET/=ENCRYPTION_KEY","TARGET/BUCKET/=ENCRYPTION_KEY"
  • Replace ALIAS with respecting key_name used while configuring the mc client on which you want to read and write the SSE-C encrypted object.

  • Replace source and destination BUCKET with the full path to the bucket or bucket prefix on which you want to read and write the SSE-C encrypted object.

  • Replace ENCRYPTION_KEY with the key generated in the first step.

Considerations:

  • SSE-C encrypted objects are not compatible with the EOS bucket replication feature.

  • User manage a mapping of which encryption key was used to encrypt which object. E2E does not store encryption keys. You are responsible for tracking which encryption key you provided for which object.

  • If your bucket is versioning-enabled, each object version that you upload by using this feature can have its own encryption key. You are responsible for tracking which encryption key was used for which object version.

  • For downloading an encrypted object encryption key is required, if the user loses the key then he can not download the data, and his data will be lost. In this case E2E is not responsible for the loss of your data.

References