Using server-side encryption

Server-side encryption allows you to protect your object data at rest. StorageGRID encrypts the data as it writes the object and decrypts the data when you access the object.

If you want to use server-side encryption, you can choose either of two mutually exclusive options, based on how the encryption keys are managed:

Using SSE

To encrypt an object with a unique key managed by StorageGRID, you use the following request header:

x-amz-server-side-encryption

The SSE request header is supported by the following object operations:
  • PUT Object
  • PUT Object - Copy
  • Initiate Multipart Upload

Using SSE-C

To encrypt an object with a unique key that you manage, you use three request headers:
Request header Description
x-amz-server-side-encryption-customer-algorithm Specify the encryption algorithm. The header value must be AES256.
x-amz-server-side-encryption-customer-key Specify the encryption key that will be used to encrypt or decrypt the object. The value for the key must be 256-bit, base64-encoded.
x-amz-server-side-encryption-customer-key-MD5 Specify the MD5 digest of the encryption key according to RFC 1321, which is used to ensure the encryption key was transmitted without error. The value for the MD5 digest must be base64-encoded 128-bit.
The SSE-C request headers are supported by the following object operations:
  • GET Object
  • HEAD Object
  • PUT Object
  • PUT Object - Copy
  • Initiate Multipart Upload
  • Upload Part
  • Upload Part - Copy

Considerations for using server-side encryption with customer-provided keys (SSE-C)

Before using SSE-C, be aware of the following considerations:
  • You must use https.
    Attention: StorageGRID rejects any requests made over http when using SSE-C. For security considerations, you should consider any key you send accidentally using http to be compromised. Discard the key, and rotate as appropriate.
  • The ETag in the response is not the MD5 of the object data.
  • You must manage the mapping of encryption keys to objects. StorageGRID does not store encryption keys. You are responsible for tracking the encryption key you provide for each object.
  • If your bucket is versioning-enabled, each object version should have its own encryption key. You are responsible for tracking the encryption key used for each object version.
  • Because you manage encryption keys on the client side, you must also manage any additional safeguards, such as key rotation, on the client side.
    Attention: The encryption keys you provide are never stored. If you lose an encryption key, you lose the corresponding object.
  • If CloudMirror replication is configured for the bucket, you cannot ingest SSE-C objects. The ingest operation will fail.