This article was written by team member Aayush Agrawal
This blog post shows how to enable encryption at rest for Amazon S3 Object Storage used by your Open edX instance. When you use server-side encryption, Amazon S3 encrypts an object before saving it to a disk, and decrypts it when you download it again.
The first question is Why would you want to do this? The most important reason is privacy, as data uploaded to S3 buckets can contain personally identifiable information, such as the learner's email address in grade reports. Also keep in mind that you might be required to do this by GDPR and other privacy-focused laws.
The first step is to set up an encrypted AWS S3 bucket for your Open edX instance. For the sake of simplicity, I’d recommend using SSE-S3 encryption, as AWS will manage the encryption key for you. It will use a single key for all objects, which is encrypted itself with a master key that is frequently rotated for increased security. You’ll have two choices here:
If you are just starting or testing this setup, you can create an encrypted bucket and switch your instance configuration to use this bucket.
Simply navigate to https://s3.console.aws.amazon.com/s3/bucket/create to create a new bucket. Make sure to enable Server-side encryption.
If you already have a running instance with an existing bucket, all you need to do is enable encryption for the bucket.
Just navigate to https://s3.console.aws.amazon.com/s3/buckets/ where you’ll be able to find the bucket you want to modify. Click on the bucket link and navigate to the “Properties” tab, where you’ll find encryption settings. Here, you just need to click the “Edit” button and select “Enable”.
Now that the bucket encryption is enabled, we must make sure Open edX can properly use it. Under the hood, your instance will be using Boto3 to communicate with AWS S3.
You need to modify your settings to enable S3 encryption. You’ll have to change both your /edx/etc/lms.yml and /edx/etc/studio.yml to use the following settings.
AWS_S3_ENCRYPTION: true
AWS_S3_REGION_NAME: 'us-east-1'
AWS_S3_SIGNATURE_VERSION: 's3v4'
DEFAULT_FILE_STORAGE: 'storages.backends.s3boto3.S3Boto3Storage'
While REGION_NAME and SIGNATURE_VERSION aren’t strictly required, they are big sources of issues when running this setup. If you encounter permission issues, make sure these are correct in your settings.
Next, ensure your bucket name is correct. If you decide to use a different bucket for course exports, make sure to enable encryption on AWS for this as well.
IMPORT_EXPORT_BUCKET: 'opencraft-example-bucket'
Again, these settings need to be applied to both lms.yml and studio.yml.
GRADES_DOWNLOAD: BUCKET: 'opencraft-example-bucket' ROOT_PATH: 'reports/grade' STORAGE_CLASS: 'storages.backends.s3boto3.S3Boto3Storage' STORAGE_KWARGS: default_acl: 'public-read' location: 'grades-download' STORAGE_TYPE: 's3'
If you get the above error message after migrating from the local filesystem storage, you’ll have to modify the location to remove the leading slash, for example:
VIDEO_TRANSCRIPTS_SETTINGS: DIRECTORY_PREFIX: video-transcripts/ STORAGE_KWARGS: base_url: /media/ location: media/ # Was /media/ before
After the setup is complete, you’ll have to test the settings to ensure that it works correctly. Obvious tests are course exports, grade report downloads, checking video transcripts, etc.
I would recommend that you use Opencraft’s Instance Test Checklist to make sure no functionalities are broken.
This checklist was developed to ensure our instances are fully operational after release upgrades, large configuration changes, and others.
I hope this helps you get peace of mind, knowing your users’ personally identifiable information is now safely encrypted in Amazon servers.
If you’re serious about your Open edX instance’s security and would like an extra pair of eyes, you can reach out to us at OpenCraft to help maintain and/or secure your Open edX instance!
Photo by Alex MotocHire on Unsplash