Enabling Server-Side Encryption with Amazon S3-Managed Keys (SSe-S3)

If you are using Amazon S3 buckets with Server Side Encryption (SSE) disabled at the bucket policy level, you can optionally instruct Commvault software to write SSE-S3 or SSE-KMS encrypted objects.

Note

Reading encrypted data is transparent to Commvault software, as long as the required access to KMS key is granted.

Commvault supports dual-layer server-side encryption with AWS KMS (DSSE-KMS).

Procedure

Additional Setting

Category

Type

Value

nCloudS3ServerSideEncryption

MediaAgent

Integer

Enter one of the following values:

  • 0: Do not use Server-Side Encryption (default)

  • 1: Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

  • 2: Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS).

    Use MediaAgent/sCloudS3ServerSideEncryptionKMSKeyID to set the KMS key.

sCloudS3ServerSideEncryptionKMSKeyID

MediaAgent

String

Use this key to set the KMS key ID, when the value of nCloudS3ServerSideEncryption is set to 2.

Create the key from AWS console and get the KMS key ID.

If this key is not set, the default AWS KMS key will be used.

Loading...