Encryption and SOS

Encryption with SOS is realized at various levels:

  • Data in transit
  • Data at rest

Encryption in transit

By default all data and metadata being sent or retrieved to buckets and objects using SOS endpoints is encrypted in transit using HTTPs TLS support.

Encryption at rest

In order to ensure data can be retrieved in a consistent shape, SOS does not take a default decision on data at rest encryption. Encryption at rest is however highly encouraged but in the responsibility domain of the customer in order to separate the duties.

It can be achieved using:

  • Client side encryption: data is encrypted before being sent to SOS by the client library, tool or code.
  • Server side encryption with customer key: data is encrypted on the server - on SOS - at reception and deciphered on the server at egress using keys provided by the customer.

Note

SSE-KMS while similar to SSE-C is currently not supported on Exoscale. A KMS implementation is planned for future release and this page will be updated accordingly when available.

SSE-C

To use SSE-C, you need to be able to manage your keys. Data can only be retrieved by providing the original key. Storing your keys must be achieved in a durable and higly available way.

The keys must be 256-bit AES keys and provided to the SOS API base64 encoded. An example command to generate such a key is:

openssl rand 32 -out my_personal_sse-c.key

Transferring objects with SSE-C:

Make sure to refer to the previous versioning section.

Uploading and downloading encrypted objects work similarly, using the cp operation and passing the key to be used for encryption or decryption as a command-line parameter. It is up to you to keep track of which key is used for which object.

The following command generates the 256-bit base64-encoded string for use as the encryption key:

cat /dev/urandom | head -c 32 | base64 -

Object upload:

mc cp encrypted_file_to_upload.txt myminio/mylockedbucket/encrypted_file_uploaded.txt --encrypt-key "myminio/mylockedbucket/=wMEoiDXcIAh/uxEQ4vAKaoNwrOQmK5yrseIKieUO494="

If you attempt to display the content of the encrypted object without supplying the encryption key, you should receive the following error to confirm that it has been server-side encrypted correctly.

mc cat myminio/mylockedbucket/encrypted_file_uploaded.txt

mc: Unable to read from myminio/mylockedbucket/encrypted_file_uploaded.txt. 400 Bad Request.

Limitations:

SSE-C has no CLI or Portal support. The use of native tools supporting SSE-C is recommended. SOS does not allow copies of objects with different keys, to support this case, the object must first be retrieved locally, then re-uploaded.