Skip to content

Ability to copy a file encrypted with customer-supplied key to a file without customer-supplied key #2575

New issue
New issue
Open
Open
Ability to copy a file encrypted with customer-supplied key to a file without customer-supplied key#2575
Labels
api: storageIssues related to the googleapis/nodejs-storage API.type: feature request‘Nice-to-have’ improvement, new feature or different behavior or design.
@rossj

Description

@rossj
rossj
opened on Jan 22, 2025

A screenshot that you have tested with "Try this API".

Not possible, as the "Try this method" GUI does not allow setting the necessary optional extension headers.

What would you like to see in the library?

While using the file.copy() method, I would like a way to copy a file encrypted with a customer-supplied encryption key (CSEK) to a file that is not encrypted with a CSEK (e.g., using Google default encryption for destination file). This is not currently possible, as the source file's key is copied to the destination file object and reused. I believe this is the result of the library's code and not the API.

In more detail, it is currently possible to copy a file and change the CSEK, as follows:

const srcFile = bucket.file('my-file1').setEncryptionKey('a'.repeat(32));

await bucket.upload(filePath, {
	destination: srcFile,
});

// Metadata will indicate CSEK with customerEncryption
const [srcMeta] = await srcFile.getMetadata(); 

// Note we are using a different key here:
const dstFile = bucket.file('my-file-2').setEncryptionKey('b'.repeat(32));

await srcFile.copy(dstFile);

// Metadata will indicate a CSEK with customerEncryption, and a different customerEncryption.keySha256 value.
const [dstMeta] = await dstFile.getMetadata();

However, I don't think it's currently possible to avoid setting a CSEK on the dstFile. Consider the behavior with this:

const srcFile = bucket.file('my-file1').setEncryptionKey('a'.repeat(32));

await bucket.upload(filePath, {
	destination: srcFile,
});

// Metadata will indicate CSEK with `customerEncryption`
const [srcMeta] = await srcFile.getMetadata(); 

// Note we are purposely not setting a key for the dst file
const dstFile = bucket.file('my-file-2');

await srcFile.copy(dstFile);

// Metadata will indicate a CSEK with customerEncryption, and the same customerEncryption.keySha256 as the source (key is reused).
const [dstMeta] = await dstFile.getMetadata();

Describe alternatives you've considered

I've tried to explicitly set a null or empty-string key on the dstFile, but that gives a "Missing an encryption key, or it is not base64 encoded, or it does not meet the required length of the encryption algorithm." error.

Perhaps as a solution, the library could keep the current key-copying / reusing behavior if setEncryptionKey() is not called on the destination file, but allow explicitly setting a null key for the dstFile to avoid the key copying.

Additional context/notes

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    api: storageIssues related to the googleapis/nodejs-storage API.type: feature request‘Nice-to-have’ improvement, new feature or different behavior or design.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions