Per-bucket / per-prefix encryption keys #14
Description
Summary
Support different encryption keys for different buckets or key prefixes, enabling multi-tenant encryption isolation.
Problem
Currently, a single master key (S3PROXY_ENCRYPT_KEY) encrypts everything. In multi-tenant environments, this means:
- All tenants share the same encryption key
- Compromising one tenant's key compromises all data
- Cannot provide per-tenant key management or escrow
Proposal
- Map encryption keys to bucket names or key prefixes
- Fall back to the default key for unmatched paths
- Support loading keys from environment variables, config file, or external KMS
Example config
encryption:
default_key: "fallback-key-32-bytes!!"
rules:
- bucket: "tenant-a-*"
key: "tenant-a-key-32-bytes!!"
- bucket: "shared"
prefix: "team-b/"
key: "team-b-key-32-bytes!!"Considerations
- Key lookup must be fast (per-request hot path)
- Should work with key rotation (Key rotation: re-encrypt objects with a new master key #12)
- Need clear error handling when a key is missing for a given path