Customer-Provided Encryption Keys (SSE-C)
Estimated time to read: 2 minutes
Customer-Provided Encryption Keys allow you to encrypt objects in Object Store using your own private key using Server-Side Encryption (SSE-C).
With SSE-C, the Object Store service never stores your key. The key must be provided for every upload and download operation. This provides maximum control over encryption, but requires careful key management.
Danger
If you lose the encryption key, the object is permanently unrecoverable (even by our Support).
The Object Store service cannot restore or regenerate customer-provided keys.
How SSE-C Works
- You generate a 256-bit (32-byte) encryption key
- The key is sent with each request (over TLS)
- The object is encrypted at rest using AES-256
- The key is discarded after the request completes
- The same key must be supplied to retrieve the object
Generate an Encryption Key
Generate the key once and store it securely.
mkdir -p ~/.sse-c
chmod 700 ~/.sse-c
openssl rand -base64 32 > ~/.sse-c/test-crypt.key
chmod 600 ~/.sse-c/test-crypt.key
Load the key into an environment variable:
Generate the Key MD5 Checksum
The MD5 checksum is required to validate the integrity of the key during transmission.
Upload an Object with SSE-C
Upload an object using the customer-provided key:
aws s3api put-object \
--bucket <bucket_name> \
--key <object_name> \
--body <file_path> \
--sse-customer-algorithm AES256 \
--sse-customer-key "$SSE_KEY" \
--sse-customer-key-md5 "$SSE_MD5"
Download an Object Encrypted with SSE-C
The same key and MD5 checksum must be provided to retrieve the object.
aws s3api get-object \
--bucket <bucket_name> \
--key <object_name> \
--sse-customer-algorithm AES256 \
--sse-customer-key "$SSE_KEY" \
--sse-customer-key-md5 "$SSE_MD5" \
<output_file>
Key Management Recommendations
To avoid data loss:
- Store keys in a password manager or secrets vault
- Maintain encrypted backups of keys
- Restrict file permissions (chmod 600)
- Document which key is used for which objects