S3 Sync and Server-Side Encryption

S3 Sync now supports server-side encryption using Amazon KMS-Managed Keys and Customer-Provided Keys. Server-side encryption is the process where Amazon encrypts files after you upload them. If you provide the correct credentials when retrieving a file, Amazon decrypts the file and returns it to you. Server-side encryption makes storing files on Amazon more secure.

Server-Side Encryption using AWS KMS-Managed Keys (SSE-KMS)

Amazon allows you to generate encryption keys within Amazon and specify which encryption key to use when uploading a file. This method is called AWS KMS-Managed Keys. You specify the ID of the encryption key to use when uploading a file. When downloading a file you must specify the same ID of the encryption key. You generate and manage encryption keys through the Identity and Access Management service which is accessible through the AWS web management console. If someone gets access to your S3 bucket they will not be able to retrieve a file unless they specify the correct ID of the encryption key. When managing encryption keys through the Identity and Access Management service you can delegate encryption key administrators and  encryption key users. These are the users that will be able to encrypt data, decrypt data, and manage encryption keys. When using SSE-KMS, AWS CloudTrail is available. CloudTrail keeps and audit history of who used an encryption key and when.

To use SSE-KMS in S3 Sync you will need to use the UploadHeaders parameter. The following is an example of this parameter.

-UploadHeaders “x-amz-server-side-encryption:aws:kms|x-amz-server-side-encryption-aws-kms-key-id:c112fc98-2e5d-4eab-aebc-0f565aa7e6fc”

The x-amz-server-side-encryption section tells S3 you will be using SSE-KMS. The x-amz-server-side-encryption-aws-kms-key-id section tells S3 which encryption key to use for the operation. You can get the key ID for an encryption key you generated in the AWS web management console under the Identity and Access Management service.

Note: The UploadHeaders parameter applies to upload, download, and bidirectional syncs in S3 Sync.

Server-Side Encryption using Customer-Provided Keys (SSE-C)

Amazon allows you to generate your own encryption key and send that key to S3 when uploading a file. Amazon will encrypt the file with your encryption key after it receives it. Amazon will then discard the key. When requesting the file you must include the same encryption key that was sent when uploading the file. Amazon will decrypt the file and return it to you. The benefit here is that Amazon does not store the encryption key so there is no way for someone with access to your account to retrieve a file. The drawback is you need to securely store your encryption keys locally. If you loose your keys you cannot retrieve your files.

The following is an example of the S3 Sync RequestHeaders parameter for using SSE-C.

-RequestHeaders “x-amz-server-side-encryption-customer-algorithm:AES256|x-amz-server-side-encryption-customer-key:Qi1sHpQnppeJAo5WyM8w/BGJXJmTO/LBg6dcjThY6nM=|x-amz-server-side-encryption-customer-key-MD5:IcpiSupe46fQ0fb5AGQ2RQ==”

The x-amz-server-side-encryption-customer-algorithm section says you will be using the AES 256 encryption method on S3. The x-amz-server-side-encryption-customer-key section is the encryption key. The x-amz-server-side-encryption-customer-key-MD5 section is the MD5 hash of the encryption key. Amazon will store the x-amz-server-side-encryption-customer-key-MD5 value with the file but not the x-amz-server-side-encryption-customer-key value.

The following is code to generate an encryption key and it’s MD5 hash in C#.

System.Security.Cryptography.AesManaged MyAesManaged = new System.Security.Cryptography.AesManaged();
String CustomerKey = Convert.ToBase64String(MyAesManaged.Key);

System.Security.Cryptography.MD5 MyMD5 = System.Security.Cryptography.MD5.Create();
Byte[] MD5Bytes = MyMD5.ComputeHash(MyAesManaged.Key);
String CustomerKeyMD5 = Convert.ToBase64String(MD5Bytes);

To read more about server-side encryption see http://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html