Encryption

Encryption with SOS is realized at various levels:

• Data in transit
• Data at rest

Encryption in transit

By default all data and metadata sent to or retrieved from buckets using SOS endpoints over HTTPs is encrypted in transit using TLS.

Encryption at rest

To protect data at rest, multiple options are available when using SOS:

• Client side encryption: data is encrypted before being sent to SOS by the client library, tool or code. With this mode, the encryption process, encryption key and libraries are fully managed by you.
• Server side encryption: data is transparently encrypted by SOS upon reception and transparently deciphered at egress, without any extra costs.

Exoscale supports two types of server-side encryption at rest:

• Server-side encryption with Exoscale managed keys SSE-SOS (recommended): Reference: Encryption with SSE-SOS
• Server-side encryption with Customer provided keys SSE-C: Reference: Encryption with SSE-C

Note: All new buckets are created with SSE-SOS enabled by default. Once enabled, SSE-SOS cannot be disabled. It acts as a default for new uploads, while still allowing SSE-C to be used on specific objects if needed.

NOTE SSE-KMS, while similar to SSE-SOS, is currently not supported on Exoscale. A KMS implementation is planned for future release and this page will be updated accordingly when available.