S3 provides several encryption mechanisms to protect your data at rest. These can be broadly categorized into server-side encryption & client-side encryption. Server-side encryption can be achieved using either S3 managed keys (SSE-S3), KMS managed keys (SSE-KMS) or customer-provided keys (SSE-C). Client-side encryption can be achieved using either KMS managed keys (CSE-C) or customer-provided keys (CSE-C). This article describes the steps involved in encrypting & decrypting an S3 object using each of these mechanisms.

SSE-S3

Encryption

When using SSE-S3, the encryption of an object uploaded to S3 happens as follows:

• The client uploads an object to S3.
• S3 generates a data key.
• S3 encrypts the object with the data key.
• S3 encrypts the data key with its master key.
• S3 saves the encrypted object & data key to disk.
• S3 destroys the plaintext data key from memory.

Decryption

When using SSE-S3, the decryption of an object downloaded from S3 happens as follows:

• The client requests S3 for the object.
• S3 fetches the object from disk.
• S3 extracts the encrypted data key from the object’s metadata.
• S3 decrypts the data key using its master key.
• S3 decrypts the object using the decrypted data key.
• S3 returns the decrypted object to the client.

SSE-KMS

Encryption

When using SSE-KMS, the encryption of an object uploaded to S3 happens as follows:

• The client uploads an object to S3.
• S3 requests KMS for a data key.
• KMS returns the plaintext data key & its encrypted version.
• S3 encrypts the object with the plaintext data key.
• S3 saves the encrypted object & data key to disk.
• S3 destroys the plaintext data key from memory.

Decryption

When using SSE-KMS, the decryption of an object downloaded from S3 happens as follows:

• The client requests the object from S3.
• S3 fetches the encrypted object from disk.
• S3 extracts the encrypted data key from the object’s metadata.
• S3 sends the encrypted data key to KMS for decryption.
• KMS decrypts the data key using the CMK.
• KMS returns the decrypted data key to S3.
• S3 decrypts the object using the data key.
• S3 returns the decrypted object to the client.
• S3 destroys the plaintext data key from memory.

SSE-C

Encryption

When using SSE-C, the encryption of an object uploaded to S3 happens as follows:

• The client uploads an object & a key to S3 over HTTPS.
• S3 encrypts the object with the key.
• S3 computes a salted HMAC of the key.
• S3 saves the encrypted object & HMAC to disk.
• S3 destroys the plaintext key from memory.

Decryption

When using SSE-C, the decryption of an object downloaded from S3 happens as follows:

• The client sends the key to S3 & requests the object.
• S3 computes a salted HMAC of the key.
• S3 fetches the encrypted object from disk.
• S3 extracts the salted HMAC from the object’s metadata.
• S3 compares this with the HMAC from step 2.
• If they match, S3 decrypts the object with the key.
• S3 returns the decrypted object to the client.
• S3 destroys the key from memory.

CSE-KMS

Encryption

When using CSE-KMS, the encryption of an object uploaded to S3 happens as follows:

• The client requests a data key from KMS.
• KMS returns a plaintext data key & its encrypted version.
• The client encrypts the object with the data key.
• The client uploads the encrypted object & data key to S3.
• The client destroys the plaintext data key from memory.

Decryption

When using CSE-KMS, the decryption of an object downloaded from S3 happens as follows:

• The client requests the object from S3.
• S3 returns the encrypted object.
• The client extracts the encrypted data key from the object’s metadata.
• The client sends this to KMS for decryption.
• KMS decrypts & returns the decrypted data key.
• The client decrypts the object using the plaintext data key.
• The client destroys the plaintext data key from memory.

CSE-C

Encryption

When using CSE-C, the encryption of an object uploaded to S3 happens as follows:

• The client generates a data key.
• The client encrypts the object with the data key.
• The client encrypts the data key with its master key.
• The client uploads the encrypted object & data key to S3.
• The client destroys the plaintext data key from memory.

Decryption

When using CSE-C, the decryption of an object downloaded from S3 happens as follows:

• The client requests the object from S3.
• S3 returns the encrypted object.
• The client extracts the encrypted data key from the object’s metadata.
• The client decrypts the data key using its master key.
• The client decrypts the object using the data key.
• The client destroys the data key from memory.