@wburningham for the 2nd requirement, could Athens encrypt before sending to S3 and decrypt in-memory after receiving data?

Also, do you have code that you can share from your own proxy app? We can use that and work together to submit a PR back to Athens if you'd like

The code that I had from my own app was already in it's own package so I just submitted a PR with what it could look like.

I think this is a perfect use case for #1353

Maybe it's worth revisiting so that we don't inflate our backend implementations.

Admittedly, encrypting/decrypting modules within the Athens codebase sounds pretty damn cool ;)

But I worry about the following:

If we were to claim Athens has encryption within its codebase, then people will trust it and cryptographers will put it under scrutiny.

None of the maintainers (AFAIK), are cryptography experts to maintain and develop proper encryption. Therefore, we would need a cryptography champion who is actively developing and maintaining this backend implementation if we are to have Athens claim e2e support :)

I think this is a perfect use case for #1353

As it happens, I was just commenting on an unrelated issue (#1511 (comment)) where the author could use something like #1353. Maybe it's time 😄

If we do any of this encryption work, I'm all for putting a big disclaimer that we're not experts, until we get someone to audit and/or champion the implementation. Would you be ok with that @marwan-at-work ?

@arschles ideally I'd go for 1353 first, it would also help keep the Athens code base smaller and easier to maintainer since we already have a big number of implementations. I definitely don't wanna block anyone tho in case this is absolutely needed 👍

Agreed on #1353. Looks like that PR hasn't had any activity for a while, so I'm gonna open a new draft with a simple implementation and we can start there.