S3 Data Encryption – SSE-C and SSE-S3
Overview
With the increasing security threats and stricter legal requirements, it is essential to consistently implement strong measures to secure data transit. This includes data not only in transit but also at rest.
Protecting data stored on physical devices or in the cloud is crucial to any organization's IT security strategy. In this context, there are two main approaches to encrypting this data: client-side encryption (CSE) and server-side encryption (SSE).
Client-side encryption (CSE)
Allows customers to encrypt their data on their devices before sending it to the Fstorage server for storage. This ensures that the data remains encrypted throughout its entire lifecycle, providing a high level of security because the customer manages the encryption keys, which are never shared with Fstorage or any third parties. This approach requires customers to manage their keys carefully, but it is an ideal solution for those needing complete data security control.
Server-side encryption (SSE)
Provides an alternative solution where data is encrypted when it reaches the Fstorage server. This is Fstorage’s responsibility, significantly reducing the security management burden on customers. There are two methods of server-side encryption:
SSE-C - Server-Side Encryption with Customer Keys: Customers can provide and manage their own encryption keys, giving them full control over data security. This option is particularly suitable for organizations with specific compliance and data security needs, as it allows exclusive management of encryption keys.
SSE-S3 - Server-Side Encryption with HI GIO S3 Cloud-Managed Keys (in development): This simplifies the encryption process by using keys managed by Fstorage. This method is ideal for customers who want a robust encryption solution without the complexities of key management. It integrates the use of KMS (Key Management Service).
HI GIO S3 Storage does not store your keys. If the key is lost, all data will be lost, and there is no way to recover it.
Procedure
Using server-side encryption (SSE) with customer-provided encryption keys (SSE-C - Server-Side Encryption with Customer Keys) allows you to specify your encryption keys.
When you download an object, HI GIO S3 Storage uses the encryption key provided by the customer to apply AES-256 encryption to the data.
While checking an Object, the client must provide the same encryption key as part of its request. Firstly, HI GIO S3 will check that the client’s encryption key matches, then decrypt the Object before returning the data to you.
When using SSE-C, you must provide encryption key information using the following request headers:
--sse-customer-algorithm
Use this header to specify the encryption algorithm. The header value must be AES256.
--sse-customer-key
Use this header to provide a 256-bit, base64-encoded encryption key for HI GIO S3 to encrypt and decrypt data
--sse-customer-key-md5
(Optional)
Use this header to provide a base64-encoded 128-bit MD5 digest of the encryption key per RFC 1321. S3 uses this header to check the integrity of the message to ensure that the encryption key was transmitted without error.
Last updated