Skip to content
Products
Platform
Developer Tools
Portal

Use SSE-C in Object Storage with the Secrets Manager

Prerequisites

Section titled “Prerequisites”

Generate and store an encryption key

Section titled “Generate and store an encryption key”

First, create a secure random key and its corresponding MD5 hash, and then store both values in the Secrets Manager.
Open a terminal and run the following commands. The commands generate the values and write them directly to the Secrets Manager.

Terminal window
## 1\. Generate a 32-byte (256-bit) random key and base64-encode it KEY_B64=$(openssl rand 32 | base64) # 2\. Generate the MD5 hash of the RAW key and base64-encode that hash KEY_MD5_B64=$(echo -n "$KEY_B64" | base64 --decode | openssl dgst -md5 -binary | base64) # 3\. Display the keys echo "Base64 Key: $KEY_B64" echo "Base64 MD5: $KEY_MD5_B64"

Install the requirements for the Python script

Section titled “Install the requirements for the Python script”

To install the required dependencies, create a file named requirements.txt in your project’s root directory and add the following lines:

Terminal window
boto3 hvac

Then, run the following command in your terminal:

Terminal window
pip install -r requirements.txt

Save the example Python script

Section titled “Save the example Python script”

Save the Python code provided in this tutorial to a file on your local machine. For example, name the file_ssec_secrets_manager_example.py_.

Configure the example Python script

Section titled “Configure the example Python script”

Next, configure the script to match your environment.

Open the_ssec_secrets_manager_example.py_file in a text editor and update the configuration variables at the top of the file. Make sure the following values are set correctly:

## --- CONFIGURATION --- # Please change the following values to match your setup S3_ENDPOINT_URL = "https://object.storage.eu01.onstackit.cloud" S3_BUCKET_NAME = "" # This is the name of the file in the object storage. OBJECT_KEY = "my-secret-object.txt" # This is the name of the local file that will be created and uploaded in this example. FILE_TO_UPLOAD = "secret-upload.txt" # This is the name of the local file where the downloaded content will be saved. DOWNLOAD_FILE_PATH = "secret-download.txt" # Secrets Manager configuration VAULT_ADDR = "https://prod.sm.eu01.stackit.cloud" VAULT_MOUNT_POINT = "" VAULT_SECRET_PATH = ""

Set environment variables

Next, export the following environment variables in your terminal. The script uses them to securely access your credentials without hardcoding sensitive values. Replace the placeholders with your actual credentials.

Terminal window
## For Secrets Manager export VAULT_USERNAME="secret-manager-username" export VAULT_PASSWORD="seceret-manager-password" # For Object Storage or save it in (e.g., \~/.aws/credentials) export AWS_ACCESS_KEY_ID="YOUR_S3_ACCESS_KEY" export AWS_SECRET_ACCESS_KEY="YOUR_S3_SECRET_KEY"

Run the script

Section titled “Run the script”

With the configuration complete, run the script:

Terminal window
python ssec_secrets_manager_example.py

Verify the results

Section titled “Verify the results”

After the script finishes, verify its actions in two places:

  • Local folder: Two identical files should be present:
    • secret-upload.txt: The original file created and uploaded by the script.
    • secret-download.txt: The decrypted copy downloaded from Object Storage.
  • Object Storage bucket: The encrypted object (my-secret-object.txt) is now stored in your bucket. Confirm this with the AWS CLI:
Terminal window
aws s3 ls s3:/// --endpoint-url

Prove the Encryption

Section titled “Prove the Encryption”

To prove that the object is encrypted and cannot be accessed without the key, try downloading it with standard AWS CLI commands.
These attempts will_fail_, demonstrating the effectiveness of SSE-C.

1. Attempt with aws s3 cp (Will fail)

Section titled “1. Attempt with aws s3 cp (Will fail)”

The high-level s3 cp command does not support the required SSE-C headers.

Terminal window
## This command will fail aws s3 cp s3:///my-secret-object.txt./download-fail-1.txt --endpoint-url

Expected error:

Terminal window
An error occurred (400) when calling the HeadObject operation: Bad Request.

2. Attempt with aws s3api get-object without keys (Will fail)

Section titled “2. Attempt with aws s3api get-object without keys (Will fail)”

The low-level s3api command will also fail if you don’t provide the encryption key.

Terminal window
## This command will fail aws s3api get-object --bucket  \--key my-secret-object.txt./download-fail-2.txt --endpoint-url

Expected error:

Terminal window
An error occurred (InvalidRequest) when calling the GetObject operation: The object was stored using a form of Server Side Encryption. The correct parameters must be provided to retrieve the object.

3. Download correctly with aws s3api get-object and keys (Will succeed)

Section titled “3. Download correctly with aws s3api get-object and keys (Will succeed)”

To download the file successfully with the AWS CLI, you must provide the same key and MD5 hash that were used in the Python script.

First, export the values as environment variables:

Terminal window
export KEY_B64="YOUR-B64-KEY" export KEY_MD5_B64="YOUR-MD5-B64-KEY"

Next, run the_get-object_command with the required SSE-C parameters:

Terminal window
## This command will succeed aws s3api get-object \\ --bucket  \\ --key my-secret-object.txt \\ --sse-customer-algorithm AES256 \\ --sse-customer-key "$KEY_B64" \\ --sse-customer-key-md5 "$KEY_MD5_B64" \\ --endpoint-url  \\./download-success.txt

This command downloads and decrypts the object, proving that access is only granted when the correct encryption key is provided.