FR: [storage] Download files with customer-supplied/managed encryption keys

[ksilz]

[REQUIRED] Describe your environment

• Operating System version: macOS 11.2
• Browser version: Safari 14.0.3
• Firebase SDK version: 8.2.6
• Firebase Product: storage (auth, database, storage, etc)

[REQUIRED] Describe the problem

I asked about this on Stack Overflow but got no reply in four days. I created a companion request for FlutterFire and AngularFire. There I was told first to start a discussion here. And then I was asked to file an issue.

My app stores files with Firebase Storage. I want to encrypt these files conveniently on the server. Firebase Storage uses Google Cloud Storage. And Google Cloud Storage offers two options for this: Customer-supplied encryption keys, where the app provides a key, and customer-managed encryption keys, where the app provides the name of the server-side “encryption service account” in Google cloud storage.

I think my Java back-end that creates my files would be fine: The Firebase Admin SDK uses the Java Cloud Storage library. And there Storage.BlobTargetOption has an encryptionKey() method for the customer-supplied encryption key, and a kmsKeyName() method for the customer-managed encryption keys.

But I don’t see how I can download files with customer-supplied/managed encryption keys in the Firebase Javascript SDK. I can't specify a key or key name when creating the reference to the file. And I can't specify these when getting the file's download URL, either.

So I suggest as a feature that Firebase Storage in the Firebase Javascript SDK supports both the customer-supplied & customer-managed encryption keys for Google Cloud Storage. As for the implementation of that feature, getting a download URL could be the place to specify either a customer-supplied encryption key or the name of a customer-managed encryption key.