Setting S3 Server-Side Encryption (SSE)

Amazon S3 provides two options for setting server-side encryption (SSE):

  • Amazon S3-Managed Encryption Keys (SSE-S3)

    With SSE-S3, each object is encrypted with a unique key with AES-256 (in the Hedvig environment, a unique key per bucket, not per object).

  • AWS KMS-Managed Keys (SSE-KMS) (currently unsupported)

    With SSE-KMS, the client specifies customer master keys (CMKs) for encrypting this object (CMK must be provided in the header).

For Hedvig-supported SSE-S3, keys are generated uniquely at the bucket level, but data encryption is at the object level. Therefore, a bucket could have both encrypted and unencrypted objects.


To set server-side encryption when putting an object, use one of the following methods:

  • Python CLI

    aws s3api put-object --endpoint http://<hostname>:<port_number> --bucket <bucket_name> --key <object_name> --body <upload_file_path> --server-side-encryption AES256
  • Java SDK

    ObjectMetadata objectMetadata = new ObjectMetadata();
    PutObjectRequest putRequest = new PutObjectRequest(bucketName,
                         new ByteArrayInputStream(objectContent.getBytes()),


For more information about S3 server-side encryption with Amazon S3-Managed Encryption Keys (SSE-S3), see the Amazon documentation.