Encryption with SSE-SOS

SSE-SOS

To use SSE-SOS, you must first enable encryption at rest on your bucket:

aws --endpoint https://sos-ch-gva-2.exo.io/ s3api put-bucket-encryption --bucket my-bucket --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'

This can also be configured using terraform:

resource "aws_s3_bucket_server_side_encryption_configuration" "my-bucket" {
  bucket = aws_s3_bucket.my-bucket.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "AES256"
    }
  }
}

Transferring objects with SSE-SOS:

Uploading and downloading encrypted objects works seamlessly, nothing has to be changed within your application or tools. The only visible difference being an extra header informing you about the encryption status of an object.

You can confirm that encryption at rest is enabled by writing an object to a bucket, and observing the "ServerSideEncryption" header in the response:

$ aws --endpoint https://sos-ch-gva-2.exo.io/ s3api put-object --bucket my-bucket --key sse-sos-object.txt --body plain-text-file.txt
{
    "ETag": "\"da17b5a1c4cd2a8b55f98628e1f1089f\"",
    "ServerSideEncryption": "AES256"
}

The same header is visible when retrieving object metadata using the GetObject and HeadObject operations:

> aws --endpoint https://sos-ch-gva-2.exo.io/ s3api head-object --bucket albin-gv2 --key sse-sos-object.txt 
{
    "AcceptRanges": "bytes",
    "LastModified": "2025-09-12T14:38:01+00:00",
    "ContentLength": 1050,
    "ETag": "\"da17b5a1c4cd2a8b55f98628e1f1089f\"",
    "VersionId": "null",
    "ContentType": "application/binary",
    "ServerSideEncryption": "AES256",
    "Metadata": {}
}

> aws --endpoint https://sos-ch-gva-2.exo.io/ s3api get-object --bucket my-bucket --key sse-sos-object.txt /dev/null
{
    "AcceptRanges": "bytes",
    "LastModified": "2025-09-12T14:38:01+00:00",
    "ContentLength": 1050,
    "ETag": "\"da17b5a1c4cd2a8b55f98628e1f1089f\"",
    "VersionId": "null",
    "ContentType": "application/binary",
    "ServerSideEncryption": "AES256",
    "Metadata": {}
}

Note that objects uploaded before enabling SSE-SOS will not be automatically encrypted and will not have the "ServerSideEncryption" header returned when you try to access them.