Setting S3 Server-Side Encryption (SSE)

Amazon S3 provides two options for setting server-side encryption (SSE):

• Amazon S3-Managed Encryption Keys (SSE-S3)

  With SSE-S3, each object is encrypted with a unique key with AES-256 (in the Hedvig environment, a unique key per bucket, not per object).

• AWS KMS-Managed Keys (SSE-KMS) (currently unsupported)

  With SSE-KMS, the client specifies customer master keys (CMKs) for encrypting this object (CMK must be provided in the header).

For Hedvig-supported SSE-S3, keys are generated uniquely at the bucket level, but data encryption is at the object level. Therefore, a bucket could have both encrypted and unencrypted objects.

Procedure

To set server-side encryption when putting an object, use one of the following methods:

• Python CLI

  aws s3api put-object --endpoint http://<hostname>:<port_number> --bucket <bucket_name> --key <object_name> --body <upload_file_path> --server-side-encryption AES256

• Java SDK

  ObjectMetadata objectMetadata = new ObjectMetadata();

  objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION);

  PutObjectRequest putRequest = new PutObjectRequest(bucketName,

                       keyName,

                       new ByteArrayInputStream(objectContent.getBytes()),

                       objectMetadata);