Per-bucket / per-prefix encryption keys

[ServerSideHannes]

Summary

Support different encryption keys for different buckets or key prefixes, enabling multi-tenant encryption isolation.

Problem

Currently, a single master key (S3PROXY_ENCRYPT_KEY) encrypts everything. In multi-tenant environments, this means:

• All tenants share the same encryption key
• Compromising one tenant's key compromises all data
• Cannot provide per-tenant key management or escrow

Proposal

• Map encryption keys to bucket names or key prefixes
• Fall back to the default key for unmatched paths
• Support loading keys from environment variables, config file, or external KMS

Example config

encryption:
  default_key: "fallback-key-32-bytes!!"
  rules:
    - bucket: "tenant-a-*"
      key: "tenant-a-key-32-bytes!!"
    - bucket: "shared"
      prefix: "team-b/"
      key: "team-b-key-32-bytes!!"

Considerations

• Key lookup must be fast (per-request hot path)
• Should work with key rotation (Key rotation: re-encrypt objects with a new master key #12)
• Need clear error handling when a key is missing for a given path