Working with Amazon S3 Server Side Encryption (SSE)
Why you may want to use SSE? What security problems does it solve?
"SSE protects your data in attack scenarios where an attacker has access to the data,
but not access to both keys. Thus this protects against stolen/lost disks.
You can't decrypt without having all the 3 elements: encrypted data, encryption key and the master key.
AWS will decrypt the object for valid requests from AWS customers who are allowed access to the data.
Thus, customers still would be required to securely maintain and manage their access id and secret keys.
Also, you can control who will have access to your data through ACLs and bucket policies."
- Jeff Barr, AWS Evangelist.
To check whether the file is encrypted or not
Select the file and click Files->Properties.
Select the file and open the Properties tab.
The Server-side encrypted row indicates whether the file is encrypted or not.
To encrypt or decrypt files
1. Select the file(s) you want to encrypt or decrypt and click:
Files, Server Side Encryption, Encrypt or Decrypt
Select the file(s) and click Files, Server Side Encryption
If you click Encrypt, the Choose Server Side Encryption dialog will open:
Choose Server Side Encryption dialog
2.
Choose the Server Side Encryption type and click Apply.
To encrypt or decrypt Amazon S3 Bucket
1. Select the bucket you want to encrypt or decrypt and click Buckets -> Server Side Encryption
Select the Bucket and click Files -> Server Side Encryption
2. Click Encrypt to encrypt all files inside the bucket or Decrypt to decrypt them.
If you click Encrypt, the Choose Server Side Encryption dialog will open:
Choose Server Side Encryption dialog
3.
Choose the Server Side Encryption type and click Apply.
S3 Browser will apply Server Side Encryption for all files inside the bucket.
If your Amazon S3 Bucket contains large amount of files, this operation may take a while.
You may significantly increase performance with
S3 Browser Pro.
It allows you to increase the number of concurrent working threads
and thereby process your files much more faster.
Two ways to automatically apply SSE
There are two ways to automaticalyl apply Server Side Encryption. The fist one is Server-Side Encryption Rules - an S3 Browser feature that
allows you to define bucket/key specific rules which are stored locally and are S3 Browser and machine specific.
S3 Browser's Server-Side Encryption Rules allow you to configure automatic encryption for specific files, folders,
or for entire bucket, or subset of buckets, or all buckets in your account.
Server-Side encryption with customer provided key (SSE-C) is also supported.
Another option is
Amazon S3 Default Bucket Encryption - an Amazon S3 feature that allows you to enable SSE on a bucket level,
this is S3 native feature and thereby it is not tied to specific S3 client tool or computer. It can be configured on a bucket level
only, you can not select specific files or folders, encryption is applied automatically to any file you upload to S3 Bucket with any
tool or API.
Server-Side encryption with customer provided key (SSE-C) is not supported by Amazon S3 Default Bucket Encryption.
|