Confidential s3proxy

Constellation now extends confidentiality to your cloud-managed storage

A man, green lights in the background

Felix Schuster

Constellation is an open-source, auto-managed, and highly secure Kubernetes distribution. Using confidential computing, Constellation keeps all data in cluster always encrypted. This includes data that is sent between nodes, data that is written to block storage, and data that is processed on any node. In a nutshell, Constellation ensures that the compute infrastructure - e.g., your cloud service provider - never sees your data.

What's new?

The release of version 2.12 of Constellation brought an exciting new feature: s3proxy. It's an encryption proxy for AWS S3 buckets and compatible cloud-storage offerings like Google Cloud Storage. (Note that Azure Blob Storage can be made compatible with S3 with another proxy.)

s3proxy can be easily installed in any Constellation cluster. Once supplied with the access credentials to your cloud storage, s3proxy exposes the well-known PutObject() and GetObject() functions within your cluster.

Any data that is written to cloud storage via s3proxy gets transparently encrypted - and decrypted on the way back. The key management for this is integrated with Constellation's confidential in-cluster key management service.

This means, that with s3proxy, you get "confidential" cloud-managed storage without having to modify your applications.

Why not use S3 server-side encryption?

AWS S3 and similar cloud-managed storage typically provide server-side encryption. This is good practice but doesn't help in the context of confidential computing.

In particular, Constellation aims to keep the cloud service provider (CSP) outside the trust boundary. Relying on the CSP for encryption compromises this.

Next steps

To learn more about s3proxy, head to the Constellation documentation. There's also a quick-start guide that lets you set up your first "always encrypted" Constellation cluster in no time.

There are many benefits to using Constellation with confidential cloud storage. For example, this gives you on-prem-like privacy together with the ransomware resilience and availability of the cloud.

Author: Felix Schuster

Related reading

View all