Understanding Amazon S3 Encryption Mechanisms

S3 provides several encryption mechanisms to protect your data at rest. These can be broadly categorized into server-side encryption & client-side encryption. Server-side encryption can be achieved using either S3 managed keys (SSE-S3), KMS managed keys (SSE-KMS) or customer-provided keys (SSE-C). Client-side encryption can be achieved using either KMS managed keys (CSE-C) or customer-provided keys (CSE-C). This article describes the steps involved in encrypting & decrypting an S3 object using each of these mechanisms.

SSE-S3

Encryption

When using SSE-S3, the encryption of an object uploaded to S3 happens as follows:

  • The client uploads an object to S3.
  • S3 generates a data key.
  • S3 encrypts the object with the data key.
  • S3 encrypts the data key with its master key.
  • S3 saves the encrypted object & data key to disk.
  • S3 destroys the plaintext data key from memory.

Decryption

When using SSE-S3, the decryption of an object downloaded from S3 happens as follows:

  • The client requests S3 for the object.
  • S3 fetches the object from disk.
  • S3 extracts the encrypted data key from the object’s metadata.
  • S3 decrypts the data key using its master key.
  • S3 decrypts the object using the decrypted data key.
  • S3 returns the decrypted object to the client.

SSE-KMS

Encryption

When using SSE-KMS, the encryption of an object uploaded to S3 happens as follows:

  • The client uploads an object to S3.
  • S3 requests KMS for a data key.
  • KMS returns the plaintext data key & its encrypted version.
  • S3 encrypts the object with the plaintext data key.
  • S3 saves the encrypted object & data key to disk.
  • S3 destroys the plaintext data key from memory.

Decryption

When using SSE-KMS, the decryption of an object downloaded from S3 happens as follows:

  • The client requests the object from S3.
  • S3 fetches the encrypted object from disk.
  • S3 extracts the encrypted data key from the object’s metadata.
  • S3 sends the encrypted data key to KMS for decryption.
  • KMS decrypts the data key using the CMK.
  • KMS returns the decrypted data key to S3.
  • S3 decrypts the object using the data key.
  • S3 returns the decrypted object to the client.
  • S3 destroys the plaintext data key from memory.

SSE-C

Encryption

When using SSE-C, the encryption of an object uploaded to S3 happens as follows:

  • The client uploads an object & a key to S3 over HTTPS.
  • S3 encrypts the object with the key.
  • S3 computes a salted HMAC of the key.
  • S3 saves the encrypted object & HMAC to disk.
  • S3 destroys the plaintext key from memory.

Decryption

When using SSE-C, the decryption of an object downloaded from S3 happens as follows:

  • The client sends the key to S3 & requests the object.
  • S3 computes a salted HMAC of the key.
  • S3 fetches the encrypted object from disk.
  • S3 extracts the salted HMAC from the object’s metadata.
  • S3 compares this with the HMAC from step 2.
  • If they match, S3 decrypts the object with the key.
  • S3 returns the decrypted object to the client.
  • S3 destroys the key from memory.

CSE-KMS

Encryption

When using CSE-KMS, the encryption of an object uploaded to S3 happens as follows:

  • The client requests a data key from KMS.
  • KMS returns a plaintext data key & its encrypted version.
  • The client encrypts the object with the data key.
  • The client uploads the encrypted object & data key to S3.
  • The client destroys the plaintext data key from memory.

Decryption

When using CSE-KMS, the decryption of an object downloaded from S3 happens as follows:

  • The client requests the object from S3.
  • S3 returns the encrypted object.
  • The client extracts the encrypted data key from the object’s metadata.
  • The client sends this to KMS for decryption.
  • KMS decrypts & returns the decrypted data key.
  • The client decrypts the object using the plaintext data key.
  • The client destroys the plaintext data key from memory.

CSE-C

Encryption

When using CSE-C, the encryption of an object uploaded to S3 happens as follows:

  • The client generates a data key.
  • The client encrypts the object with the data key.
  • The client encrypts the data key with its master key.
  • The client uploads the encrypted object & data key to S3.
  • The client destroys the plaintext data key from memory.

Decryption

When using CSE-C, the decryption of an object downloaded from S3 happens as follows:

  • The client requests the object from S3.
  • S3 returns the encrypted object.
  • The client extracts the encrypted data key from the object’s metadata.
  • The client decrypts the data key using its master key.
  • The client decrypts the object using the data key.
  • The client destroys the data key from memory.

Harish KM is a Cloud Evangelist & a Full Stack Engineer at QloudX. He is very passionate about cloud-native solutions & using the best tools for his projects. With 10+ cloud & IT certifications, he is an expert in a multitude of application languages & is up-to-date with all new offerings & services from cloud providers, especially AWS.

Leave a Reply