Amazon S3 provides two options for setting server-side encryption (SSE):
-
Amazon S3-Managed Encryption Keys (SSE-S3)
With SSE-S3, each object is encrypted with a unique key with AES-256 (in the Hedvig environment, a unique key per bucket, not per object).
-
AWS KMS-Managed Keys (SSE-KMS) (currently unsupported)
With SSE-KMS, the client specifies customer master keys (CMKs) for encrypting this object (CMK must be provided in the header).
For Hedvig-supported SSE-S3, keys are generated uniquely at the bucket level, but data encryption is at the object level. Therefore, a bucket could have both encrypted and unencrypted objects.
Procedure
To set server-side encryption when putting an object, use one of the following methods:
-
Python CLI
aws s3api put-object --endpoint http://<hostname>:<port_number> --bucket <bucket_name> --key <object_name> --body <upload_file_path> --server-side-encryption AES256
-
Java SDK
ObjectMetadata objectMetadata = new ObjectMetadata();
objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION);
PutObjectRequest putRequest = new PutObjectRequest(bucketName,
keyName,
new ByteArrayInputStream(objectContent.getBytes()),
objectMetadata);
Note
For more information about S3 server-side encryption with Amazon S3-Managed Encryption Keys (SSE-S3), see the Amazon documentation.