NavigationContentFooter
Jump toSuggest an edit

Enabling server-side encryption (SSE-C)

Reviewed on 12 November 2024Published on 30 May 2024

Server-Side Encryption with Customer-provided keys (SSE-C) is an encryption method provided by Scaleway Object Storage to protect your data at rest. It allows you to supply your own encryption keys to encrypt data when it is uploaded, and to decrypt data when accessed.

Note

Currently, Scaleway does not support other types of server-side encryption methods, such as SSE-KMS, or SSE-S3.

SSE-C overview

Managing SSE-C using the aws s3api command set requires three elements:

  • A 256-bit (32-byte) base64-encoded key
  • The base64-encoded 128-bit MD5 digest of the encryption key, according to the RFC 6151 norm.
  • The encryption algorithm used to encrypt/decrypt your data. It must be AES256.

The encryption key and its digest are sent alongside the data to the cloud storage service. The data is then encrypted using the key provided during the write operation. Once the data has been copied, the encryption key is deleted. The digest of the key is saved with the object’s metadata, allowing the data to be decrypted when downloaded.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An Object Storage bucket
  • Installed and initialized the AWS CLI

Getting started with SSE-C

How to generate an encryption key and its digest

SSE-C requires a 256-bit (32-byte) base64-encoded key, and its MD5 digest. If you already have a compatible encryption key and digest, you can skip directly to the uploading and downloading objects with SSE-C section.

  1. In a terminal, run the following command to generate a random 32-byte key, and store it in a file named sse.key:

    openssl rand -out ssec.key 32

  2. Run the following command to encode your key in base64, and export it as a variable:

    ENCRYPTION_KEY=$(cat ssec.key | base64)

  3. Run the following command to generate the base64-encoded 128-bit MD5 digest of your encryption key, and export it as an environment variable:

    KEY_DIGEST=$(openssl dgst -md5 -binary ssec.key | base64)
Important

If you lose the encryption key, you also lose the data encrypted with it, as you will not be able to perform GET operations on encrypted objects without the corresponding key.

How to upload and download objects with SSE-C

  1. Run the command below to upload an object and encrypt it. Make sure to replace <your-bucket-name>, <your-object-key>, and <path/to/your/file> with the correct values.

    aws s3api put-object \
    --bucket <your-bucket-name> \
    --key <your-object-key> \
    --body <path/to/your/file> \
    --sse-customer-algorithm AES256 \
    --sse-customer-key $ENCRYPTION_KEY \
    --sse-customer-key-md5 $KEY_DIGEST
    Note

    The --sse-customer-algorithm argument is required, and only accepts AES256 as a value.

  2. (Optional) Run the command below to check that you cannot download your object without the encryption key and its digest. Make sure to replace <your-bucket-name>, <your-object-key>, and <path/to/destination/file> with the correct values.

    aws s3api head-object \
    --bucket <your-bucket-name> \
    --key <your-object-key>

    An error message similar to the following should display:

    An error occurred (400) when calling the HeadObject operation: Bad Request

  3. Run the command below to download the previously uploaded object and decrypt it. Make sure to replace <your-bucket-name>, <your-object-key>, and <path/to/destination/file> with the correct values.

    aws s3api get-object \
    --bucket <your-bucket-name> \
    --key <your-object-key> \
    <path/to/destination/file> \
    --sse-customer-algorithm AES256 \
    --sse-customer-key $ENCRYPTION_KEY \
    --sse-customer-key-md5 $KEY_DIGEST

    Your object is now located at the specified destination.

    Note

    You can store your keys in files and pass them as arguments using the format below:

    --sse-customer-key file://path/to/file \
    --sse-customer-key-md5 file://path/to/file

Using SSE-C with the ‘aws s3 cp’ command

The AWS S3 CLI allows you to easily manage SSE-C. You can use the aws s3 cp command to upload and download several encrypted files without having to manage base64 encoding or MD5 digest generation.

  1. In a terminal, run the following command to generate a random 32-byte key, and store it in a file named sse.key:

    openssl rand -out ssec.key 32

  2. Run the command below to copy a local file to your Object Storage bucket. Make sure to replace the placeholders with the appropriate values.

    aws s3 cp <path/to/your/file> s3://<your-bucket-name>/<your-object-key> --sse-c AES256 --sse-c-key fileb://ssec.key

  3. Run the command below to download the file from your Object Storage bucket to your local file system. Make sure to replace the placeholders with the appropriate values.

    aws s3 cp s3://<your-bucket-name>/<your-object-key> <path/to/your/file> --sse-c AES256 --sse-c-key fileb://ssec.key
Note

Refer to the official AWS documentation for more information on the aws s3 cp command.

API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2024 – Scaleway