App Suite Security

Object storage

Amazon S3 Storage

If an Amazon S3 compatible storage is used to store user data, OX App Suite operator is usually not in control of the physical storage and can't protect it from unauthorized access. In this scenario, it is advisable to encrypt the stored data. This way if any third-party is somehow able to access the data it will not be able to use it. There are currently two mechanisms available to encrypt the data: Client-side encryption via RSA and server-side encryption.

The first mechanism is completely controlled by the operator of OX App Suite. An operator-defined key is used to encrypt the data via RSA before sending it to the s3 storage and decrypt it once the data is retrieved.

The second option on the other hand uses an encryption method provided by the object storage operator. This means that the object storage operator encrypts the data and manages the keys. Further information can be found here: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.htmlopen in new window.

Once activated, OX App Suite does two things: First it sends the appropriate headers which tells the S3 storage to use server-side encryption and second it configures newly created buckets to only accept requests with those headers. This ensures that no other client uses this bucket without server-side encryption. This also means, that those buckets need to be reconfigured manually if server side encryption is turned off again. Therefore, it is highly recommended to not activate this feature unless it was decided to stick with it. Information about how encryption can be configured can be found here: https://documentation.open-xchange.com/components/middleware/config/8/#mode=features&feature=Filestore S3open in new window.

Both mechanisms can be used independently. This means the OX App Suite operator can either use client-side encryption or server-side encryption, or both at the same time. As already mentioned, both mechanisms have advantages and disadvantages. Where client-side encryption leaves the operator in full control of the keys and the data, server-side encryption takes over the key management is therefore a lot easier to use. OX App Suite can also use both mechanisms at the same time, but this only adds another security layer and does not bring any fundamental advantages. Essentially, this protects against theft of one pair of encryption keys. For example, if the keys for server-side encryption mechanism are stolen, the client-side mechanism still protects the data.