Comment 4 for bug 1607116

Reviewed: https://review.openstack.org/619127
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=8e95a93858dc215e2d2f7d48e035e6b5f1ab582a
Submitter: Zuul
Branch: master

commit 8e95a93858dc215e2d2f7d48e035e6b5f1ab582a
Author: Tim Burke <email address hidden>
Date: Tue Nov 20 17:21:04 2018 -0800

    s3api: Allow some forms of server-side-encryption

    ...if and only if encryption is enabled. A few things to note about server-side
    encryption:

    - We register whether encryption is present and enabled when the proxy server
      starts up.
    - This is generally considered an operator feature, not a user-facing one. S3
      API users can now learn more about how your cluster is set up than they
      previously could.
    - If encryption is enabled but there are no keymasters in the pipeline, all
      writes will fail with "Unable to retrieve encryption keys."
    - There's still a 'swift.crypto.override' env key that keymasters can set to
      skip encryption, so this isn't a full guarantee that things will be
      encrypted. On the other hand, none of the keymasters in Swift ever set that
      override.

    Note that this *does not* start including x-amz-server-side-encryption
    headers in the response, neither during PUT nor GET. We should only
    send that when we know for sure that the data on disk was encrypted.

    Change-Id: I4c20bca7fedb839628f1b2f8611807631b8bf430
    Related-Bug: 1607116
    Related-Change: Icf28dc57e589f9be20937947095800d7ce57b2f7