- Encryption:
-
- The client uploads the object(s) to S3, along with the customer provided key across a HTTPS connection. If SSE-C is being used and an HTTPS connection is not used during the uploads, then it will fail and reject the communication. The channel needs to be encrypted as the key is being sent along with the object.
-
- S3 will then take the customer provided key and the object and perform the encryption of the object. In addition to this, S3 will generate a salted HMAC value of the customer key to enable the validation of future access requests. This HMAC and the encrypted object are then stored on S3 with an association to each other. Again, the plaintext customer provided key is then removed from memory.
- Decryption:
-
- A user requests access to the encrypted object on S3 via a HTTPS connection. With this same request, the customer key is also sent to S3.
- S3 uses the stored HMAC value of the key to validate and confirm that the key that has been sent is the correct key.
- Upon successful validation, the customer key is then used to decrypt the object data.
- The plaintext version of the object data is then sent back to the client.
Here, the process was slightly different to SSE-S3 and SSE-KMS, since the key is sourced from the client rather than by S3. As a result, you need to include encryption with your request by using a number of different request headers in the AWS SDK. These request headers are as follows:
- Header: x-amz-server-side -encryption -customer-algorithm: Used to specify the encryption algorithm. The header value here must be AES256.
- Header: x-amz-server-side -encryption -customer-key: This header is used to provide a 256-bit, base64-encoded encryption key for S3 during both the encryption and decryption operations of your objects.
- Header: x-amz-server-side -encryption -customer-key-MD5: This header provides a base64-encoded, 128-bit MD5 digest of your encryption key. This is used by S3 as a form of integrity check to make sure that the encryption key wasn't tampered with or experienced any errors during transmission.