Skip to content

[Feature Request] [AngularFireStorage] Download files with customer-supplied/managed encryption keys #2752

Closed
@ksilz

Description

@ksilz

Version info

Angular: 11.1.2

Firebase: 8.2.6

AngularFire: 6.1.4

Other (e.g. Ionic/Cordova, Node, browser, operating system): Safari 14.0.3 on macOS 11.2

How to reproduce these conditions

I asked about this on Stack Overflow but got no reply in four days. I created a companion request for FlutterFire.

My app stores files with Firebase Storage. I want to encrypt these files conveniently on the server. Firebase Storage uses Google Cloud Storage. And Google Cloud Storage offers two options for this: Customer-supplied encryption keys, where the app provides a key, and customer-managed encryption keys, where the app provides the name of the server-side “encryption service account” in Google cloud storage.

I think my Java back-end that creates my files would be fine: The Firebase Admin SDK uses the Java Cloud Storage library. And there Storage.BlobTargetOption has an encryptionKey() method for the customer-supplied encryption key, and a kmsKeyName() method for the customer-managed encryption keys.

But I don’t see how I can download files with customer-supplied/managed encryption keys in AngularFire. I can't specify a key or key name when creating the "bucket" to access a file (sorry, no link here). And I can't specify these when getting the file's download URL, either.

So I suggest as a feature that Firebase Storage in AngularFire supports both the customer-supplied & customer-managed encryption keys for Google Cloud Storage. As for the implementation of that feature, getting a download URL could be the place to specify either a customer-supplied encryption key or the name of a customer-managed encryption key.

Steps to set up and reproduce

  1. Create a file with the Firebase Admin SDK with either a customer-supplied encryption key or a customer-managed encryption key
  2. Request download URL for this encrypted file with AngularFire

Expected behavior

You can specify the customer-supplied encryption key or the name of a customer-managed encryption key when when getting the file's download URL.

Actual behavior

You cannot specify the customer-supplied encryption key or the name of a customer-managed encryption key when when getting the file's download URL.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions