Understanding Amazon S3 Encryption Mechanisms

S3 provides several encryption mechanisms to protect your data at rest. These can be broadly categorized into server-side encryption & client-side encryption. Server-side encryption can be achieved using either S3 managed keys (SSE-S3), KMS managed keys (SSE-KMS) or customer-provided keys (SSE-C). Client-side encryption can be achieved using either KMS managed keys (CSE-C) or customer-provided keys (CSE-C). This article describes the steps involved in encrypting & decrypting an S3 object using each of these mechanisms.

SSE-S3

Encryption

When using SSE-S3, the encryption of an object uploaded to S3 happens as follows:

  • The client uploads an object to S3.
  • S3 generates a data key.
  • S3 encrypts the object with the data key.
  • S3 encrypts the data key with its master key.
  • S3 saves the encrypted object & data key to disk.
  • S3 destroys the plaintext data key from memory.

Decryption

When using SSE-S3, the decryption of an object downloaded from S3 happens as follows:

  • The client requests S3 for the object.
  • S3 fetches the object from disk.
  • S3 extracts the encrypted data key from the object’s metadata.
  • S3 decrypts the data key using its master key.
  • S3 decrypts the object using the decrypted data key.
  • S3 returns the decrypted object to the client.

SSE-KMS

Encryption

When using SSE-KMS, the encryption of an object uploaded to S3 happens as follows:

  • The client uploads an object to S3.
  • S3 requests KMS for a data key.
  • KMS returns the plaintext data key & its encrypted version.
  • S3 encrypts the object with the plaintext data key.
  • S3 saves the encrypted object & data key to disk.
  • S3 destroys the plaintext data key from memory.

Decryption

When using SSE-KMS, the decryption of an object downloaded from S3 happens as follows:

  • The client requests the object from S3.
  • S3 fetches the encrypted object from disk.
  • S3 extracts the encrypted data key from the object’s metadata.
  • S3 sends the encrypted data key to KMS for decryption.
  • KMS decrypts the data key using the CMK.
  • KMS returns the decrypted data key to S3.
  • S3 decrypts the object using the data key.
  • S3 returns the decrypted object to the client.
  • S3 destroys the plaintext data key from memory.

SSE-C

Encryption

When using SSE-C, the encryption of an object uploaded to S3 happens as follows:

  • The client uploads an object & a key to S3 over HTTPS.
  • S3 encrypts the object with the key.
  • S3 computes a salted HMAC of the key.
  • S3 saves the encrypted object & HMAC to disk.
  • S3 destroys the plaintext key from memory.

Decryption

When using SSE-C, the decryption of an object downloaded from S3 happens as follows:

  • The client sends the key to S3 & requests the object.
  • S3 computes a salted HMAC of the key.
  • S3 fetches the encrypted object from disk.
  • S3 extracts the salted HMAC from the object’s metadata.
  • S3 compares this with the HMAC from step 2.
  • If they match, S3 decrypts the object with the key.
  • S3 returns the decrypted object to the client.
  • S3 destroys the key from memory.

CSE-KMS

Encryption

When using CSE-KMS, the encryption of an object uploaded to S3 happens as follows:

  • The client requests a data key from KMS.
  • KMS returns a plaintext data key & its encrypted version.
  • The client encrypts the object with the data key.
  • The client uploads the encrypted object & data key to S3.
  • The client destroys the plaintext data key from memory.

Decryption

When using CSE-KMS, the decryption of an object downloaded from S3 happens as follows:

  • The client requests the object from S3.
  • S3 returns the encrypted object.
  • The client extracts the encrypted data key from the object’s metadata.
  • The client sends this to KMS for decryption.
  • KMS decrypts & returns the decrypted data key.
  • The client decrypts the object using the plaintext data key.
  • The client destroys the plaintext data key from memory.

CSE-C

Encryption

When using CSE-C, the encryption of an object uploaded to S3 happens as follows:

  • The client generates a data key.
  • The client encrypts the object with the data key.
  • The client encrypts the data key with its master key.
  • The client uploads the encrypted object & data key to S3.
  • The client destroys the plaintext data key from memory.

Decryption

When using CSE-C, the decryption of an object downloaded from S3 happens as follows:

  • The client requests the object from S3.
  • S3 returns the encrypted object.
  • The client extracts the encrypted data key from the object’s metadata.
  • The client decrypts the data key using its master key.
  • The client decrypts the object using the data key.
  • The client destroys the data key from memory.

Harish KM is a Cloud Evangelist & a Full Stack Engineer at QloudX.

He is very passionate about cloud-native solutions & using the best tools for his projects. With 10+ cloud & IT certifications, he is an expert in a multitude of application languages & is up-to-date with all new offerings & services from cloud providers, especially AWS.

close

Oh hi there 👋
It’s nice to meet you.

Sign up to our newsletter to be notified when a new blog post lands.

By subscribing you agree to receive promotional marketing materials and agree with our privacy policy. You may unsubscribe at any time.

One Reply to “Understanding Amazon S3 Encryption Mechanisms”

  1. Nitesh says:

    AWS docs felt ambiguous about the SSE-C and SSE-S3. Thanks for the clear and concise explanation.

Leave a Reply

Your email address will not be published. Required fields are marked *