- Encryption:
-
- The client selects their object(s) to upload to S3 and indicates the encryption mechanism of SSE-S3 during this process.
- S3 then takes control of the object and encrypts it with a plaintext data key that's generated by S3. The result is an encrypted version of the object, which is then stored within your chosen S3 bucket.
- The plaintext data key that used to encrypt the object is then encrypted with an S3 master key, resulting in an encrypted version of the key. This now encrypted key is also stored on S3 and has an association to the encrypted data object. Finally, the plaintext data key is removed from memory in S3.
- Decryption:
-
- A user requests access to the encrypted object via a client
- S3 is aware that the requested object is encrypted and so takes the associated encrypted data key of the object and uses the S3 master key to decrypt the data back into a plaintext data key
- This plaintext data key is then used to decrypt the encrypted data object to produce a plaintext version of the object
- When the object is decrypted, S3 then returns the data object to the client
As you can see, the encryption process is completely transparent to the user and they are not required to interact with S3 in a different way. The same access method is used and all encryption processes are handled by S3, as long as the user requested access has the required permissions to the data object in an encrypted form.