Enabling server-side encryption on AWS S3 and Open edX
Posted by Aayush Agrawal on May 18, 2021
This blog post shows how to enable encryption at rest for Amazon S3 Object Storage used by your Open edX instance. When you use server-side encryption, Amazon S3 encrypts an object before saving it to a disk, and decrypts it when you download it again.
The first question is Why would you want to do this? The most important reason is privacy, as data uploaded to S3 buckets can contain personally identifiable information, such as the learner's email address in grade reports. Also keep in mind that you might be required to do this by GDPR and other privacy-focused laws.
Enabling S3 encryption on AWS: How-To
The first step is to set up an encrypted AWS S3 bucket for your Open edX instance. For the sake of simplicity, I’d recommend using SSE-S3 encryption, as AWS will manage the encryption key for you. It will use a single key for all objects, which is encrypted itself with a master key that is frequently rotated for increased security. You’ll have two choices here:
Creating an encrypted bucket
If you are just starting or testing this setup, you can create an encrypted bucket and switch your instance configuration to use this bucket.
If you already have a running instance with an existing bucket, all you need to do is enable encryption for the bucket.
Just navigate to https://s3.console.aws.amazon.com/s3/buckets/ where you’ll be able to find the bucket you want to modify. Click on the bucket link and navigate to the “Properties” tab, where you’ll find encryption settings. Here, you just need to click the “Edit” button and select “Enable”.
Configuring Open edX
Now that the bucket encryption is enabled, we must make sure Open edX can properly use it. Under the hood, your instance will be using Boto3 to communicate with AWS S3.
Enabling AWS S3 Encryption
You need to modify your settings to enable S3 encryption. You’ll have to change both your /edx/etc/lms.yml and /edx/etc/studio.yml to use the following settings.
While REGION_NAME and SIGNATURE_VERSION aren’t strictly required, they are big sources of issues when running this setup. If you encounter permission issues, make sure these are correct in your settings.
Configuring Studio export bucket
Next, ensure your bucket name is correct. If you decide to use a different bucket for course exports, make sure to enable encryption on AWS for this as well.
IMPORT_EXPORT_BUCKET: 'opencraft-example-bucket'
Configuring Grade reports downloads
Again, these settings need to be applied to both lms.yml and studio.yml.
S3Boto3Storage.location cannot begin with a leading slash (gotcha)
If you get the above error message after migrating from the local filesystem storage, you’ll have to modify the location to remove the leading slash, for example:
VIDEO_TRANSCRIPTS_SETTINGS:
DIRECTORY_PREFIX: video-transcripts/
STORAGE_KWARGS:
base_url: /media/
location: media/ # Was /media/ before
Testing
After the setup is complete, you’ll have to test the settings to ensure that it works correctly. Obvious tests are course exports, grade report downloads, checking video transcripts, etc.
This checklist was developed to ensure our instances are fully operational after release upgrades, large configuration changes, and others.
I hope this helps you get peace of mind, knowing your users’ personally identifiable information is now safely encrypted in Amazon servers.
If you’re serious about your Open edX instance’s security and would like an extra pair of eyes, you can reach out to us at OpenCraft to help maintain and/or secure your Open edX instance!
This year, the Open edX Conference will be held from July 2 – 5, 2024 in Stellenbosch, South Africa. I’m so excited for the community to visit my beautiful country! And what’s more, we have some awesome talks lined up by our very own OpenCrafters. Getting Started with Frontend Pluggability Tuesday 10:00 AM | Braden […]
The arrival of new AI technology has sent the world of online education abuzz. The new technologies have brought new excitement to e-learning, but it’s difficult to tell what’s hype and what’s not. What will the impact of AI be in the online learning space? What’s likely to change? What will remain the same? We’ll […]
Open edX presents Content Tagging! "Tagging" has been a long-requested feature for managing content in Studio, and now OpenCraft is finally designing and building it for Axim Collaborative! While there are big plans, the first release will be a user-friendly, minimal viable product. Here are some of the things everyone can look forward to: So, get ready for more organized learning content. Tagging […]