Encryption

Last updated on May 22, 2026

Overview

All data stored on our object storage are encrypted at rest using AES256.

Additionally you have the options to use server side encryption (SSE) or server side encryption with customer-provided keys (SSE-C).

Server side encryption

Server side encryption gives you the possibility to encrypt objects during the upload. When you issue an S3 request to store an object, the storage backend automatically encrypts the object with a unique key. The encryption keys are managed by the storage backend.

To encrypt an object with a unique key during upload you can use the following header:

x-amz-server-side-encryption

SSE is supported for the following operations:

PUT Object
PUT Object - Copy
Initiate Multipart Upload

Server side encryption with customer-provided keys

SSE-C provides the possibility to encrypt an object using a unique key managed by yourself.

To use SSE-C you need to use the following headers:

x-amz-server-side-encryption-customer-algorithm
- Encryption algorithm. Value must be AES256.
x-amz-server-side-encryption-customer-key
- Encryption key which is used to encrypt or decrypt the object. Must be 256 bit and base64 encoded.
x-amz-server-side-encryption-customer-key-md5
- MD5 digest of your encryption key to ensure your encryption key was transmitted correctly. Must be 128 bit and base64 encoded.

SSE-C is supported for the following operations:

GET Object
PUT Object
PUT Object - Copy
HEAD Object
Initiate Multipart Upload
Upload Part
Upload Part - Copy

When using SSE-C, be aware that the ETag is not the MD5 sum of the object data.

Examples:

Server side encryption

To upload an object using s3cmd and encrypt it automatically using a key managed by the storage backend,specify the “—server-side-encryption” option on the Upload:

s3cmd put./my-encrypted-object s3://directory1 --server-side-encryption

If you always want to use server side encryption you can simply add the following line to ~/.s3cfg:

server_side_encryption = true