#AWS Use Your own Encryption Keys with S3’s Server-Side Encryption

Amazon S3 stores trillions of objects and processes more than a million
requests per second for them.

As the number of use cases for S3 has grown, so have the requests for additional ways to protect data in motion
(as it travels to and from S3) and at rest (while it is stored). The first requirement is met by the use of
SSL, which has been supported by S3 from the very beginning. There are several options for the protection
of data at rest. First, users of the SDKs for
Ruby and
can also use

client-side encryption

to encrypt data before it leaves the client environment. Second, any S3 user can opt to use
server-side encryption.

Today we are enhancing S3’s support for server-side encryption by
giving you the option to provide your own keys. You now have a
choice — you can use the existing server-side encryption model and
let AWS manage your keys, or you can manage your own keys and
benefit from all of the other advantages offered by server-side

You now have the option to store data in S3 using keys that you
manage, without having to build, maintain, and scale your own
client-side encryption fleet, as many of our customers have done in
the past.

Use Your Keys
This new feature is accessible via the
S3 APIs and
is very easy to use. You simply supply your encryption key as part of a PUT and
S3 will take care of the rest. It will use your key to apply AES-256
encryption to your data, compute a one-way hash (checksum) of the
key, and then expeditiously remove the key from memory. It will
return the checksum as part of the response, and will also store the
checksum with the object. Here’s the flow:

Later, when you need the object, you simply supply the same key as
part of a GET. S3 will decrypt the object (after verifying that the
stored checksum matches that of the supplied key) and return the
decrypted object, once again taking care to expeditiously remove the
key from memory.

Key Management
In between, it is up to you to manage your encryption keys and to
make sure that you know which keys were used to encrypt each object. You can
store your keys on-premises or you can use
AWS Cloud HSM, which uses
dedicated hardware to help you to meet corporate, contractual and
regulatory compliance requirements for data security.

If you enable S3’s versioning feature and store multiple versions of an
object, you are responsible for tracking the relationship between objects,
object versions, and keys so that you can supply the proper key when
the time comes to decrypt a particular version of an object. Similarly,
if you use S3’s
Lifecycle rules
to arrange for an eventual transition to
you must first restore the object to S3 and then retrieve the object using
the key that was used to encrypt it.

If you need to change the key associated with an object, you can invoke S3’s
operation, passing in the old and the new keys as parameters. You’ll want to mirror this
change within your key management system, of course!

Ready to Encrypt
This feature is available now and you can start using it today. There is no extra charge for
encryption, and there’s no observable effect on PUT or GET performance. To learn more,
read the documentation on
Server Side Encryption With Customer Keys.


Related posts