Server-Side Encryption with Customer-Managed Keys (SSE-C) on ESA HPC
Introduction
This guide explains how to encrypt your objects server-side with SSE-C.
Server-side encryption is a way to protecting data at rest. SSE encrypts only the object data. Using server-side encryption with customer-provided encryption keys (SSE-C) allows to set your own keys for encryption. Server manages the encryption as it writes to disks and decryption when you access your objects. The only thing that you must manage is to provide your own encryption keys.
SSE-C is working as on the moment of uploading an object. Server uses the encryption key you provide to apply AES-256 encrytion to data and removes the encryption key from memory. To access the data again you must provide the same encryption key on the request. Server verifies whether provided key matches and then decrypts the object before returning the object data to you.
Requirements
A bucket (How to use Object Storage on ESA HPC)
A user with the required access rights on the bucket
EC2 credentials (How to generate ec2 credentials on ESA HPC)
Have installed and configured aws
If you have not used aws before:
$ sudo apt install awscli
Then:
$ aws configure
AWS Access Key ID [None]: <your EC2 Access Key>
AWS Secret Access Key [None]: <your EC2 Secret Key>
Default region name [None]: <enter>
Default output format [None]: <enter>
SSE-C at a glance
Only HTTPS S3 rejects any requests made over HTTP using SSE-C.
If you send request erroneously using HTTP, for security you should discard the key and rotate as appropriate.
The ETag in the response is not the MD5 of the object data.
You are responsible for managing encryption keys and to which object they were used.
If bucket is versioning-enabled, each object version can have its own encryption key.
Attention
If you lose encryption key it means the object is also lost. Our servers do not store encryption keys, so it is not possible to access the data again without them.
REST API
To encrypt or decrypt objects in SSE-C mode the following headers are required:
Header |
Type |
Description |
---|---|---|
x-amz-server-side-encryption-customer-algorithm |
string |
Encryption algorithm. Must be set to AES256 |
x-amz-server-side-encryption-customer-key |
string |
256-bit base64-encoded encryption key used in the server-side encryption process |
x-amz-server-side-encryption-customer-key-MD5 |
string |
base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. It is used to ensure that the encryption has not been corrupted during transport and encoding process. |
Note
MD5 digest of the key before base64 encoding.
Headers apply to the following API operations:
PutObject
PostObject
CopyObject (to target objects)
HeadObject
GetObject
InitiateMultipartUpload
UploadPart
UploadPart-Copy (to target parts)
Example No 1 Generate header values
secret="32bytesOfTotallyRandomCharacters"
key=$(echo -n $secret | base64)
keymd5=$(echo -n $secret | openssl dgst -md5 -binary | base64)
OR
openssl rand 32 > sse-c.key
key=$(cat sse-c.key | base64)
keymd5=$(cat sse-c.key | openssl dgst -md5 -binary | base64)
Example No 2 aws-cli (s3api)
Upload an object with SSE-C encryption enabled
aws s3api put-object \
--bucket bucket-name --key object-name \
--body contents.txt \
--sse-customer-algorithm AES256 \
--sse-customer-key $key \
--sse-customer-key-md5 $keymd5 \
--endpoint-url https://s3.eohpc.net
Example No 3 aws-cli (s3)
aws s3 cp file.txt s3://bucket-name/ \
--sse-c-key $secret \
--sse-c AES256 \
--endpoint https://s3.eohpc.net
Example No 4 aws-cli (s3 blob)
aws s3 cp file.txt s3://bucket/ \
--sse-c-key fileb://sse-c.key \
--sse-c AES256 \
--endpoint https://s3.eohpc.net
Note
At the moment s3cmd does not support SSE-C encryption.
Downloading the encrypted object
aws s3api get-object <file_name> --bucket <bucket_name> \
--key <object_key \
--sse-customer-key $secret \
--sse-customer-algorithm AES256 \
--endpoint https://s3.eohpc.net
or
aws s3api get-object <file_name> --bucket <bucket_name> \
--key <object_key> \
--sse-customer-key fileb://<key_name> \
--sse-customer-algorithm AES256 \
--endpoint https://s3.eohpc.net