Skip to main content
HashnodeThe Continuous Journey

Command Palette

Search for a command to run...

Types of Object Encryption in AWS S3

Updated
2 min read
Types of Object Encryption in AWS S3
J
Jaison
Part of seriesAWS Solution Architect - Associate Series

Welcome back to the AWS SAA series. We will continue from where we left in the last blog.

Buckets aren’t encrypted. But Objects are. Each object could be using different encryption settings.

There are two main types of encryption at rest:

  • Client side encryption

  • Server side encryption

Both of them refer to encryption at rest. Only data is encrypted but not object metadata.

Encryption at rest - Method of encryption when the objects are persistently stored on disk.

The objects being uploaded are encrypted by the client before they ever leave.The data is in cipher-text form the entire time it is stored in the bucket.

With server side encryption, the data is encrypted with https while in transit.The data is encrypted when it reaches the endpoint

With client side encryption, everything is under the user’s control.

3 types of server side encryption and is a trade off between trust, overhead, cost , resource consumption etc.

  1. Server side encryption with Customer-Provided Keys (SSE-C)

  2. Server side encryption with Amazon S3 managed keys (SSE-S3)

  3. Server side encryption with KMS keys stored in AWS-KMS (SSE-KMS)

Two components to SSE

  • The actual encryption and decryption process itself – cryptographic operations

  • Generation and management of cryptographic keys.

In SSE-C, customer is responsible for the encryption keys used in the encrypt/decrypt operations

So the first major difference between client side encryption and SSE-C is that S3 service is handling the cryptographic operations. The cpu requirements are being offloaded to S3 but the customer is required to manage the keys

So the object (obj.) to be encrypted and the key is supplied to S3. Also a hash of the key is created and attached to the obj and key is discarded. This hash can’t be used to generate a new key.

If key is provided during decrypt. the hash will identify whether the same key was used to encrypt the obj.

So as the key is not present now, S3 is requested for the obj to be decrypted and the key to decrypt it.

S3 will determine the key is correct, then use it to decrypt the obj. and discard the key.

Customer needs to manage the keys, but retains the control of the cryptographic. ops. and also save cpu requirement.

In the next blog post we will see the rest of the types of server side encryption.

#aws#aws-s3

AWS Solution Architect - Associate Series

Part 1 of 12

In this series we will discuss cloud computing basics and other cloud computing concepts from the AWS Solution Architect Associate perspective.

Up next

AWS Key Management Service - An Introduction

The next topic in our series would be about Key Management Service before we can discuss how encryption happens in the S3 buckets. This is a separate topic in itself. Lets start. AWS Key Management Service (AWS KMS) lets us create, manage, and contro...

More from this blog

The Continuous Journey

24 posts