Skip to content
Products
Platform
Developer Tools
Portal

Encryption

Overview

Section titled “Overview”

All data stored on our object storage are encrypted at rest using AES256.

Additionally you have the options to useserver side encryption (SSE)or server side encryption with customer-provided keys (SSE-C).

SSE

Section titled “SSE”

Server side encryption gives you the possibility to encrypt objects during the upload. When you issue an S3 request to store an object, the storage backend automatically encrypts the object with a unique key. The encryption keys are managed by the storage backend.

To encrypt an object with a unique key during upload you can use the following header:

x-amz-server-side-encryption

SSE is supported for the following operations:

  • PUT Object
  • PUT Object - Copy
  • Initiate Multipart Upload

SSE-C

Section titled “SSE-C”

SSE-C provides the possibility to encrypt an object using a unique key managed by yourself.

To use SSE-C you need to use the following headers:

  • x-amz-server-side​-encryption​-customer-algorithm
    • Encryption algorithm. Value must be AES256.
  • x-amz-server-side​-encryption​-customer-key
    • Encryption key that will be used to encrypt or decrypt the object. Must be 256 bit and base64 encoded.
  • x-amz-server-side​-encryption​-customer-key
    • MD5 digest of your encryption key to ensure your encryption key was transmitted correctly. Must be 128 bit and base64 encoded.

SSE-C is supported for the following operations:

  • GET Object
  • PUT Object
  • PUT Object - Copy
  • HEAD Object
  • Initiate Multipart Upload
  • Upload Part
  • Upload Part - Copy

When using SSE-C, please be aware that the ETag is not the MD5 sum of the object data.

Important: Customer-provided keysalso means that YOU areresponsible for managing the keys!
This includes:

  • You must track the mapping between keys and objects by yourself.
  • If versioning is enabled, it is recommended to use a unique key for each version. You must manage the mapping between object versions and keys by yourself.
  • The keys must be rotated by yourself.

WE DO NOT STORE THE KEY ON OUR SYSTEM. IF YOU LOSE THE KEY, YOU WILL LOSE YOUR OBJECT!

Examples:

Section titled “Examples:”

SSE

Section titled “SSE”

To upload an object using s3cmd and encrypt it automatically using a key managed by the storage backend,specify the “—server-side-encryption” option on the Upload:

s3cmd put./my-encrypted-object s3://directory1 --server-side-encryption

If you always want to use server side encryption you can simply add the following line to ~/.s3cfg:

server_side_encryption = true

SSE-C

Section titled “SSE-C”
Configure s3cmd for SSE-C
Section titled “Configure s3cmd for SSE-C”

Note: The gpg package is mandatory to use SSE-C with s3cmd.

Configure encryption keys using the configuration wizard:
Section titled “Configure encryption keys using the configuration wizard:”

Specify a encryption password and provide the path to gpg:

Encryption password is used to protect your files from reading
by unauthorized persons while in transfer to S3
Encryption password: enter-your-encryption-key-here
Path to GPG program [/usr/bin/gpg]:

Manually specifiying the key on the config file:
Section titled “Manually specifiying the key on the config file:”

Add the following lines to your s3cmd config file (Default: ~/.s3cfg).
The first line contains the path to gpg, the default is/usr/bin/gpg.
Enter the encryption key you want to use into the line starting withgpg_passphrase.

gpg_command = /usr/bin/gpggpg_decrypt = %(gpg_command)s -d —verbose —no-use-agent —batch —yes —passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)sgpg_encrypt = %(gpg_command)s -c —verbose —no-use-agent —batch —yes —passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)sgpg_passphrase =enter-your-encryption-key-here
Encrypt an Object during Upload using the key specified during configuration
Section titled “Encrypt an Object during Upload using the key specified during configuration”

Once you configured s3cmd for the SSE-C usage you can specify the “-e” option on all supported operations, for example while putting an object on bucket and encrypting it with the provided key:

s3cmd -e put./my-encrypted-object s3://directory1

Verify the object is encrypted
Section titled “Verify the object is encrypted”

To check if the encryption worked correctly, you can temporarily remove the passphrase from your configuration and try to read the file.

  1. Remove thegpg_passphraseon the ~/.s3cf.
  2. Try to GET the object:
    s3cmd get s3://directory1/my-encrypted-object./my-encrypted-object-download
  3. Check file type usingfile:
    file my-encrypted-object
    The outputshould look like this:my-encrypted-object: GPG symmetrically encrypted data (AES256 cipher)
  4. Try to read the file usingcat:
    cat my-encrypted-object

If the output looks similar to this, your object is encrypted:

� �Q�)�+�W��N���C�g��]4�$t�y��Vg:Gh6Y�K�r��W���#}�.e#y�#��+��m��J�Q����p0W���
  1. Put your passphrase back into ~/.s3cfg.
  2. GET the object again:
    s3cmd get s3://directory1/my-encrypted-object./my-decrypted-object
    With the passphrase back in place, the file will be automatically decrypted during the GET operation.
  3. Check file type usingfile:
    file my-decrypted-object

The output should look like this:
my-decrypted-object: ASCII text 8. Try to read the file using cat:
cat my-decrypted-object

If the output looks similar to this, your object was automatically decrypted on the GET operation:

hallo