Description
Version info
Angular: 11.1.2
Firebase: 8.2.6
AngularFire: 6.1.4
Other (e.g. Ionic/Cordova, Node, browser, operating system): Safari 14.0.3 on macOS 11.2
How to reproduce these conditions
I asked about this on Stack Overflow but got no reply in four days. I created a companion request for FlutterFire.
My app stores files with Firebase Storage. I want to encrypt these files conveniently on the server. Firebase Storage uses Google Cloud Storage. And Google Cloud Storage offers two options for this: Customer-supplied encryption keys, where the app provides a key, and customer-managed encryption keys, where the app provides the name of the server-side “encryption service account” in Google cloud storage.
I think my Java back-end that creates my files would be fine: The Firebase Admin SDK uses the Java Cloud Storage library. And there Storage.BlobTargetOption has an encryptionKey()
method for the customer-supplied encryption key, and a kmsKeyName()
method for the customer-managed encryption keys.
But I don’t see how I can download files with customer-supplied/managed encryption keys in AngularFire. I can't specify a key or key name when creating the "bucket" to access a file (sorry, no link here). And I can't specify these when getting the file's download URL, either.
So I suggest as a feature that Firebase Storage in AngularFire supports both the customer-supplied & customer-managed encryption keys for Google Cloud Storage. As for the implementation of that feature, getting a download URL could be the place to specify either a customer-supplied encryption key or the name of a customer-managed encryption key.
Steps to set up and reproduce
- Create a file with the Firebase Admin SDK with either a customer-supplied encryption key or a customer-managed encryption key
- Request download URL for this encrypted file with AngularFire
Expected behavior
You can specify the customer-supplied encryption key or the name of a customer-managed encryption key when when getting the file's download URL.
Actual behavior
You cannot specify the customer-supplied encryption key or the name of a customer-managed encryption key when when getting the file's download URL.