Skip to main content

Lyve Cloud Documentation

Using SSE-C to Encrypt Objects

In this key security feature, all data is encrypted before it is stored. This occurs regardless of whether the data is encrypted at the source. This data protection feature can not be disabled. Two options for server-side encryption are supported:

  • Server-side encryption with client-provided key (SSE-C)

  • Server-side encryption with a key generated by the Lyve Cloud key management system (KMS) (SSE-S3)

This example illustrates how customers can use S3 Server-side encryption with client-provided (SSE-C) encryption keys.

Listing contents of the bucket

Let us first list current objects in the bucket so that any new object added to the bucket can be identified.

Use the following command to list contents of the bucket.

aws s3 ls ak-atempo1 --profile LCDemo --endpoint https://s3.us-east-1.lyvecloud.seagate.com
PRE docs/                         
PRE level1/                         
PRE topleveldir/
2022-12-02 18:12:53  536 allprefixakcopy.json
Creating an object

Create a sample object. When creating a sample object, the object is unencrypted. However, S3 encrypts the object during the upload operation.

echo "Test SSE-C Key" > ssec.txt
Creating a key

Create a key to encrypt the object.

openssl rand 32 -out ssec.key
Uploading the object

Using the following command, the object (ssec.txt )is uploaded to S3. S3 encrypts the object using the provided key (ssec.key).

aws s3 cp ssec.txt s3://ak-atempo1/ssec.txt --sse-c AES256 --sse-c-key fileb://ssec.key  --profile LCDemo --endpoint https://s3.us-east-1.lyvecloud.seagate.com

The following output occurs after the command is executed.

upload: ./ssec.txt to s3://ak-atempo1/ssec.txt
Listing contents of the bucket

Use the following command to list the contents of the bucket. The new object (ssec.txt) that is uploaded is listed,

aws s3 ls ak-atempo1 --profile LCDemo --endpoint https://s3.us-east-1.lyvecloud.seagate.com
PRE docs/
PRE level1/
PRE topleveldir/

2022-12-02 18:12:53    536 allprefixakcopy.json
2023-01-25 16:24:56    15 ssec.txt
Downloading the object

Using the following command, the object ssec.txt is downloaded from S3. S3 decrypts the object using the key ssec.key:

aws s3 cp s3://ak-atempo1/ssec.txt ssec-downloaded.txt --sse-c AES256 --sse-c-key fileb://ssec.key --profile LCDemo --endpoint https://s3.us-east-1.lyvecloud.seagate.com

The following output occurs after the command is executed.

download: s3://ak-atempo1/ssec.txt to ./ssec-downloaded.txt
Contents of the downloaded file

Run the following command to check the content of the object downloaded from S3.

cat ssec-downloaded.txt
Test SSE-C Key
In this section: