Re-encrypt data under S3 bucket with different KMS key

cynepco3hahue · May 7, 2025, 1:30pm

What is the problem you are having with rclone?

We have a use case when we need to re-encrypt data under AWS S3 bucket with different aws:kms key. In general aws sync command provides functionallity to sync with the same bucket as src and dst, but when I am running rclone I have error message:

{"level":"error","msg":"Nothing to do as source and destination are the same","object":"S3 bucket ngartyomlukianov-dev-byok-a-36 path ngartyomlukianov_a_36","objectType":"*s3.Fs","source":"sync/sync.go:925","time":"2024-12-30T20:16:49.777879+00:00"}

Run the command 'rclone version' and share the full output of the command.

# rclone --version
rclone v1.67.0
- os/version: amazon 2 (64 bit)
- os/kernel: 3.10.0-1160.95.1.el7.x86_64 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.22.4
- go/linking: static
- go/tags: none

Which cloud storage system are you using? (eg Google Drive)

AWS S3

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

/usr/local/bin/rclone copy \
> --metadata \
> --stats 60m \
> --stats-log-level ERROR \
> --log-level ERROR \
> --use-json-log \
> --retries 1 \
> --transfers 40 \
> --checkers 8 \
> --no-check-dest \
> --files-from /user_data/chunks/chunkaa \
> --s3-sse-kms-key-id <some_key> \
> remote:ngartyomlukianov-dev-byok-a-36/ngartyomlukianov_a_36 \
> remote:ngartyomlukianov-dev-byok-a-36/ngartyomlukianov_a_36

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

I am using env vars:

export AWS_EXECUTION_ENV="AWS_USER_AGENT APN/1.0 OwnBackup/1.0 Recover/1.0 SelfServedBYOK/1.0"
export RCLONE_CONFIG_REMOTE_TYPE='s3'
export RCLONE_S3_NO_CHECK_BUCKET=true
export RCLONE_S3_ACCESS_KEY_ID="<some_key>"
export RCLONE_S3_SECRET_ACCESS_KEY="<some_secret>"
export RCLONE_S3_REGION="eu-central-1"
export RCLONE_S3_PROVIDER='AWS'
export RCLONE_S3_SERVER_SIDE_ENCRYPTION="aws:kms"

A log from the command that you were trying to run with the `-vv` flag

{"level":"error","msg":"Nothing to do as source and destination are the same","object":"S3 bucket ngartyomlukianov-dev-byok-a-36 path ngartyomlukianov_a_36","objectType":"*s3.Fs","source":"sync/sync.go:925","time":"2024-12-30T20:16:49.777879+00:00"}
{"level":"error","msg":"\nTransferred:   \t          0 B / 0 B, -, 0 B/s, ETA -\nElapsed time:

I already created the similar topic but did not get any answer, it can be nice to get some clarification for the problem

asdffdsa · May 7, 2025, 1:34pm

first, should rclone selfupdate

then try creating two remotes
rclone copy remote01:ngartyomlukianov-dev-byok-a-36/ngartyomlukianov_a_36 remote02:ngartyomlukianov-dev-byok-a-36/ngartyomlukianov_a_36

cynepco3hahue · May 12, 2025, 2:25pm

Thanks for the answer. IIUC rclone selfupdate requires for update of rclone.
Will try approach with two remotes.

cynepco3hahue · May 13, 2025, 1:57pm

Thanks, it worked, closing the post.

asdffdsa · May 15, 2025, 4:16pm

welcome. glad it worked

system · June 14, 2025, 4:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.