[Duplicity-talk] Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

[Sinang, Danny]

Hi,

 

I’m trying to back up my files and directories to an s3 bucket (in the us-east-1 region) which has server-side encryption enabled and uses a custom KMS Key.

 

So I run the command below, but get the error : Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

 

# duplicity /notebooks s3://s3.amazonaws.com/my-own-backups --log-file /var/log/duplicity.log --no-encryption

 

Local and Remote metadata are synchronized, no sync needed.

Last full backup left a partial set, restarting.

Last full backup date: Thu Jan  3 18:52:13 2019

RESTART: The first volume failed to upload before termination.

         Restart is impossible...starting backup from beginning.

 

Local and Remote metadata are synchronized, no sync needed.

Last full backup date: none

No signatures found, switching to full backup.

Attempt 1 failed. S3ResponseError: S3ResponseError: 400 Bad Request

<?xml version="1.0" encoding="UTF-8"?>

<Error><Code>InvalidArgument</Code><Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>null</ArgumentValue><RequestId>13C499F10532F0B0</RequestId><HostId>H28IOyN2uWiFSwlRFic9+hy7CPPFFJAp2o1Yi+SiydgKwM0GmPvKQRnMYOiGAeRC2TOeBQunFZY=</HostId></Error>

 

I tried adding the --s3-use-server-side-encryption , but that made the uploaded objects use the default KMS key, which is not what I want since the custom KMS key I used restricts who can do decryption.

 

Is there an option I’m missing ?

 

Regards,

Danny