sync fails when encryption settings provider returns write mode b2sdk.v2.SSE_NONE

Question

sync fails when encryption settings provider returns write mode b2sdk.v2.SSE_NONE

titus8 opened this issue 10 months ago · 8 comments

Good Day to All.

I'm using b2sdk-1.24.1. I've found a synchronization failure when an encryption settings provider returns write mode b2sdk.v2.SSE_NONE.

A repro script is attached.
bug.txt

A traceback is attached.
traceback.txt

It looks like the server is complaining.

Thanks for your attention.

titus8

Answer 1 · 2023-11-13T22:14:46.000Z

I think this is an old issue. In b2sdk-1.24.1/b2sdk/encryption/setting.py, in add_to_upload_headers(), I see

if self.mode == EncryptionMode.NONE:
    # as of 2021-03-16, server always fails it
    headers['X-Bz-Server-Side-Encryption'] = self.mode.name

Answer 2 · 2023-11-14T03:06:25.000Z

Hi,
thanks for the report and the provided code/traceback. I'm not sure what is the behaviour you expect, but note that SSE_NONE is not supported encryption for sync. So the current behaviour is expected, but the error should be definitely handled more gracefully. We'll look into it.

Answer 3 · 2023-11-14T17:13:05.000Z

It seems reasonable to expect that SSE_NONE would cause a local file to be stored on the server as plaintext, regardless of the server default setting. I'm not sure why SSE_NONE exists if it can't be used for sync. Please point me to the documentation, so that I might discover anything else I missed.

Thanks.

Answer 4 · 2023-11-15T08:51:44.000Z

The command sync uses b2_upload_file behind the scene, which shows that when encryption is explicitly requested, it will either use SSE_C or SSE_B2 based on the combination of X-Bz-Server-Side-Encryption-* headers, there's no way how to explicitly request SSE_NONE from the API. The best what can be done in the SDK is to make this fail loudly before hitting the API.

Sync without encryption can be achieved when the bucket encryption is disabled & get_setting_for_upload() will return None, in which case the bucket's encryption settings will be used (ie. no encryption).

Answer 5 · 2023-11-15T16:10:17.000Z

The command sync uses b2_upload_file behind the scene, which shows that when encryption is explicitly requested, it will either use SSE_C or SSE_B2 based on the combination of X-Bz-Server-Side-Encryption-* headers, there's no way how to explicitly request SSE_NONE from the API. The best what can be done in the API is to make this fail loudly before hitting the API.

That's nice documentation, thank you. Is it possible that the absence of all X-Bz-Server-Side-Encryption-* headers implies plaintext?

Sync without encryption can be achieved when the bucket encryption is disabled & get_setting_for_upload() will return None, in which case the bucket's encryption settings will be used (ie. no encryption).

Yes, this was clear.

Answer 6 · 2023-11-16T03:39:41.000Z

That's nice documentation, thank you. Is it possible that the absence of all X-Bz-Server-Side-Encryption-* headers implies plaintext?

Not really - when the bucket has encryption enabled, omitting the encryption headers works as "use the encryption settings matching the bucket"

Answer 7 · 2023-11-17T00:23:20.000Z

Fair enough. Thanks for your attention.

Answer 8 · 2023-11-17T00:24:27.000Z

Questions answered. Thanks again!