Server-side encryption with user keys (SSE-C)
Server-side encryption (SSE) is the simplest data encryption option. All computationally intensive encryption operations are performed on the server side. The client sends unencrypted data to Atman Object Storage, then the data is encrypted and stored.
When the data is read, Atman Object Storage reads the encrypted data, decrypts it on the server side and then sends the unencrypted data to you over the network (via HTTPS protocol). This process is transparent to end users.
Atman Object Storage supports server-side encryption with client-supplied keys according to the Amazon SSE-C specification. In this configuration, it is the S3 client that transmits the encryption key with each request to read or write encrypted data. Key management is the responsibility of the client, i.e. it must remember which key it encrypted the object with.
Required HTTP headers
Headline |
Description |
|---|---|
x-amz-server-side-encryption-customer-algorithm |
Specifies the encryption algorithm. Value: AES256 |
x-amz-server-side-encryption-customer-key |
256-bit encryption key encoded in base64 |
x-amz-server-side-encryption-customer-key-MD5 |
base64 encoded 128-bit MD5 hash of the encryption key |
Example (awscli)
General form of command:
aws s3 cp <plik do skopiowania> s3://<lokalizacja docelowa> --sse-c-key <klucz klienta> --sse-c AES256 --profile <profil awscli> --endpoint <S3 endpoint>
Example of use:
aws s3 cp file s3://bucket/file --sse-c-key aikua1EiTeu4oce5jipahjuipugionge --sse-c AES256 --profile awscli-profile --endpoint <S3 endpoint>
Example (awscli blob)
Key generation (blob)
openssl rand 32 > sse.key
** command using the blob file**:
aws s3 cp file s3://bucket/file --sse-c-key fileb://sse.key --sse-c AES256 --profile awscli-profile --endpoint <S3 endpoint>