Hi,
We have some buckets (have been around for a while, approx 200GB+ data) and we want to turn on encryption-at-rest using SSE-S3 (the most "transparent" way) https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
The S3 buckets are mounted to our Linux VMs using S3FS
https://github.com/s3fs-fuse/s3fs-fuse
which has support for this (seems fairly transparent)
So, it seems like the way this works is that you can only enable this on files on a go-forward basis so the older files that already exist will not be in encrypted-at-rest (which is ok, we can backfill this later)
Has anybody tried to do this before using this combo? If we mount the bucket using s3fs with -o use_sse option, what will happen as the files will be half-and-half?
Will it "just work"? s3fs will be mounted with -o use_sse and it will be able to handle files that are BOTH the old way (not encrypted-at-rest) and the newer files (encrypted-at-rest) ... we can then start backfilling the older files and we have time or will this fail catastrophically the minute we mount the s3 bucket :(
Is the solution to just start a new bucket and do the SSE-S3 and then just start moving the files over (we have done this before in terms of having code in our application check for a file in multiple buckets before giving up)
Of course, we will test all this stuff, just wanted to ask a quick question in case we are worried about this too much and if this is a "no big deal" or "be very careful"
Thanks!
AWS OFFICIALUpdated a year ago
