Fsa clientside encryption

[fasar]

This PR implements client-side encryption for backup files in Medusa, addressing issue #892.

This feature allows users to encrypt data before uploading to storage backends (S3, Azure, GCS, MinIO, IBM Cloud Object Storage), ensuring that backups are protected independently of the backend's encryption capabilities.

I didn't add any dependencies. I was helped a lot by AI tools. :-D
This implementation uses a temporary directory to encrypt files on the local disk before sending them.

This could be improved by using the AWS Encryption SDK, but my Python skills are not sufficient to handle encryption and MD5 calculation on the fly.
Additionally, adding the AWS Encryption SDK would require updating the project dependencies.

[github-actions]

No linked issues found. Please add the corresponding issues in the pull request description.
Use GitHub automation to close the issue when a PR is merged

[Copilot]

Pull request overview

This PR implements client-side encryption (CSE) for Medusa backup files, addressing issue #892. It allows users to encrypt backup data before uploading to storage backends (S3, Azure, GCS, MinIO, IBM Cloud Object Storage) using Fernet symmetric encryption.

Changes:

• Adds encryption/decryption functionality using the cryptography library's Fernet implementation
• Extends ManifestObject to include source_size and source_MD5 fields for tracking original file metadata
• Implements encrypted upload/download flows in abstract_storage.py
• Adds support for differential backups with encryption by comparing source metadata
• Includes comprehensive test coverage and documentation

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
medusa/storage/encryption.py	New module implementing EncryptionManager for file encryption/decryption using Fernet
medusa/storage/abstract_storage.py	Adds encrypted upload/download methods, extends ManifestObject with source metadata fields
medusa/backup_node.py	Updates differential backup logic to handle encrypted files using source metadata
medusa/storage/init.py	Adds get_files_from_all_differential_backups method for manifest aggregation
medusa/storage/azure_storage.py	Updates import to use ManifestObject from abstract_storage
medusa/verify.py	Adds fallback blob fetching for differential backup verification
medusa/config.py	Adds key_secret_base64 and encryption_tmp_dir configuration parameters
tests/storage/*.py	Comprehensive unit tests for encryption, encrypted storage operations, and manifest aggregation
tests/backup_node_test.py	Adds test for url_to_path function
tests/resources/config/*_cse.ini	Test configuration files for encrypted storage providers
tests/integration/features/integration_tests.feature	Adds CSE variants to integration test scenarios
docs/client_side_encryption.md	New comprehensive documentation for client-side encryption feature
docs/Configuration.md	Documents new encryption configuration parameters
medusa-example.ini	Adds encryption configuration examples

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate failed

Failed conditions
2 Security Hotspots

See analysis details on SonarQube Cloud

[fasar]

Ok, I corrected all tests.
I do not know what to do with these 3 failing checks.
Does some one can help me ?