SSE-C Encryption
Data encryption it's one of the core features of Securae Backup, so on this page we explain how Server-Side Encryption with Customer-Provided Keys (SSE-C) works on object storage solutions like S3.
All the backup files uploaded by you to our systems are encrypted using SSE-C, so only you know the key to decrypt them. We have no way of knowing which encryption key is used.
Server-Side Encryption with Customer-Provided Keys (SSE-C)
Understanding SSE-C
Server-Side Encryption with Customer-Provided Keys (SSE-C) is a security feature offered by Amazon S3 that allows you to encrypt your data at rest using your own encryption keys. This provides you with greater control over your data encryption and key management.
How SSE-C Works
- Key Generation: You generate your own encryption keys. Generated simply with
cat /dev/urandom | head -c 32or tools likeopenssl. - Upload with Encryption: When you upload an object to S3, it uses the encryption key that you provide to apply AES-256 encryption to your data. S3 then removes the encryption key from memory.
- Retrieval with Decryption: When you download the object, S3 decrypts it using the same encryption key and returns the original data.
- Retrieval with Decryption: When you download the object, you must provide the same encryption key as part of your request. S3 first verifies that the encryption key that you provided matches, and then it decrypts the object before returning the object data to you.
Specifications of SSE-C
- Encryption Algorithm: AES-256
- Key Size: 256-bit
- Key Management: You are responsible for generating, managing, and protecting your own encryption keys.
- Data Encryption: S3 encrypts data at rest using your provided key before storing it, and it decrypts data using the same key when you retrieve it.
For more details about the specification, see the Amazon S3 documentation.
SSE-C and SSE-KMS
There is also Service-Side Encryption with Key Management Service (SSE-KMS), and while both SSE-C and SSE-KMS offer encryption for data at rest on S3, they differ in key management and control.
SSE-C provides you with complete control over your encryption keys. You generate, manage, and protect your keys, giving you maximum flexibility and security. This is particularly beneficial for organizations with stringent compliance requirements or that need to maintain full control over their encryption infrastructure.
SSE-KMS on the other hand, relies on KMS to manage your encryption keys. KMS is a managed service that provides features like key rotation, hierarchical key structures, and integration with other cloud services. While this simplifies key management, it also introduces a layer of dependency. If you prefer to maintain complete control over your encryption keys or have specific compliance requirements that necessitate self-managed key management, SSE-C is the better choice.
Support by different vendors
While SSE-C is a core feature of Amazon S3, different cloud providers and storage solutions have implemented their own versions of SSE-C with varying levels of compatibility and additional features.
Below you can find a list of different vendors supporting SSE-C.
MinIO
As described in Minio documentation its SSE-C implementation is highly compatible with Amazon S3's SSE-C.
Google Cloud Platform (GCP)
Cloud Storage from GCP is similar to Amazon S3's, allowing you to provide your own encryption keys.
Microsoft Azure
Azure Storage's implementation is mature enough and it supports most of the AWS S3 features.
OVH Object Storage
The Object Storage service from the European company OVH supports several AWS S3 features too.
Scaleway
Scaleway's Object Storage supports SSE-C as well but currently it's in closed beta phase.
Best Practices for Using SSE-C
- Strong Encryption Keys: Use strong encryption keys, generated from random data.
- Regular Key Rotation: Regularly rotate your encryption keys to enhance security.
- Access Controls: Implement strong access controls to protect your encryption keys and data.
- Monitoring and Logging: Monitor your SSE-C usage and log relevant activities to detect and respond to security incidents.
- Backup your keys: Keep a copy of your keys in a safe place (e.g: a Password Manager).
Conclusion
By understanding SSE-C and the different implementations offered by cloud providers and storage solutions, you can make informed decisions about how to protect your data and maintain control over your encryption keys.