Overview
CipherTrust Transparent Encryption for Cloud Object Storage (CTE COS) is an object storage service that you can use to store and protect any amount of data for a range of use cases, such as websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. CTE COS provides management features so you can organize your data and configure finely-tuned access controls to meet your specific business, organizational, and compliance requirements.
CTE COS for Amazon Simple Storage Service (CTE COS S3) is an extension to CTE for inline encryption and local host access controls involving applications performing REST-API-based operations to S3 object stores.
CTE COS S3 is not a replacement for AWS IAM access controls which are enforced independently at the AWS server end.
The following diagram shows the high-level CTE COS S3 architecture:
Supported operations
-
CTE COS S3 will process only AWS S3 REST https calls issued by applications. The interception is done by a bundled TLS proxy with additional CTE services.
-
CTE’s traditional access controls and inline encryption are transparently applied during the following operations:
-
Create a bucket
-
Write an object
-
Read an object
-
Delete an object
-
List objects
-
Limitations
-
CTE COS S3 is supported only on RHEL 7, RHEL 8 and RHEL 9.
-
Only REST API based S3 protocol-aware applications are supported.
-
Only locally generated self-signed COS Proxy CA Certificates are supported.
-
AWS S3 URL path validations are not currently implemented. CTE COS S3 requires that the user must specify the correct URLs for bucket paths.
-
CTE COS S3 permits only AES CBC-CS1 encryption. Encrypted files in protected buckets therefore will prepend the 4K embedded header used in CTE's AES CBC-CS1 encryption. The key manager will enforce usage of AES CBC-CS1 keys within S3 bucket policies.
Multi-part Upload Restrictions
-
All upload operations for a multi-part upload must be conducted from the same host.
-
Maximum file size upload is 5TB.
-
Part sizes during uploads must be identical. The part numbering must be in sequence starting with 1, e.g. 1,2,3,4,… Not 10, 20, 30, etc.
-
The part size specified in CTE S3’s AWS credential file must match the part size specified within the application.
-
Thales recommends that the Content-MD5 header be included in the request message.