Support for AWS Server Side Encryption

[jeffreygolden]

Hello Velero team,

I've been trying to upload backups to an AWS bucket with a server side encryption enforcement policy. This means all requests to the bucket require an AWS header indicating it should be encrypted by AWS. While Velero supports this, Restic does not.

I found this Restic issue indicating the lack of SSE support is intentional: restic/restic#2008

My AWS bucket policy looks like the following:

{
    "Version": "2012-10-17",
    "Id": "PutObjPolicy",
    "Statement": [
        {
            "Sid": "Enforce server side encryption on file uploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

In operation, the Velero files are successfully uploaded to the bucket, but the Restic artifacts are not.

Is there a workaround here to get Velero fully functioning with S3 SSE buckets?

Thank you!
Jeff