Server-Side Encryption with Customer-Provided Keys (SSE-C)

Written By Johnnie Gazaway

How SSE-C Works

  1. Customer Provides the Key: When uploading an object to S3, the customer provides their own encryption key in the request.

  2. AWS Encrypts the Object: AWS uses the provided key as a Key Encryption Key (KEK) to encrypt a Data Encryption Key (DEK). The DEK is then used to perform AES-256 encryption on the object before storing it.

  3. Key Management by the Customer: AWS does not store the customer’s encryption key. It retains only a cryptographic hash (HMAC) of the key for validation purposes during subsequent operations (e.g., downloading or overwriting the object).

  4. Decryption on Retrieval: To retrieve an object encrypted with SSE-C, the customer must provide the same encryption key used during the upload. AWS validates the key using the stored HMAC and decrypts the object before returning it.

Johnnie Gazaway
Professional Geek
www.jbmga.com
Previous

Cloud Ransomware Developments | The Risks of Customer-Managed Keys
Next

Microsoft and OpenAI evolve partnership to drive the next phase of AI