lsm/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2025-11-24 08:46:54 +08:00
Code Issues Actions 17 Packages Projects Releases Wiki Activity
Page: Server Side Encryption SSE C
Pages
AWS CLI with SeaweedFS AWS IAM CLI Actual Users Admin UI Amazon IAM API Amazon S3 API Applications Async Backup Async Filer Metadata Backup Async Replication to Cloud Async Replication to another Filer Benchmark SeaweedFS as a GlusterFS replacement Benchmarks from jinleileiking Benchmarks Cache Remote Storage Choosing a Filer Store Client Libraries Cloud Drive Architecture Cloud Drive Benefits Cloud Drive Quick Setup Cloud Monitoring Cloud Tier Components Configure Remote Storage Customize Filer Store Data Backup Data Structure for Large Files Deployment to Kubernetes and Minikube Directories and Files Docker Compose for S3 Docker Image Registry with SeaweedFS Environment Variables Erasure Coding for warm storage Error reporting to sentry FAQ FIO benchmark FUSE Mount Failover Master Server File Operations Quick Reference Filer Active Active cross cluster continuous synchronization Filer Cassandra Setup Filer Change Data Capture Filer Commands and Operations Filer Data Encryption Filer JWT Use Filer Metadata Events Filer Redis Setup Filer Server API Filer Setup Filer Store Replication Filer Stores Filer as a Key Large Value Store Gateway to Remote Object Storage Getting Started HDFS via S3 connector Hadoop Benchmark Hadoop Compatible File System Hardware Hobbyest Tinkerer scale on premises tutorial Home Independent Benchmarks Kafka to Kafka Gateway to SMQ to SQL Keycloak Integration Kubernetes Backups and Recovery with K8up Large File Handling Load Command Line Options from a file Master Server API Migrate to Filer Store Mount Remote Storage Optimization Path Specific Configuration Path Specific Filer Store PostgreSQL compatible Server weed db Production Setup Pub Sub to SMQ to SQL Replication Run Blob Storage on Public Internet Run Presto on SeaweedFS S3 API Audit log S3 API Benchmark S3 API FAQ S3 Bucket Quota S3 CORS S3 Conditional Operations S3 Credentials S3 Nginx Proxy S3 Object Lock and Retention S3 Object Versioning SQL Queries on Message Queue SQL Quick Reference SRV Service Discovery Seaweed Message Queue SeaweedFS Java Client SeaweedFS in Docker Swarm Security Configuration Security Overview Server Side Encryption SSE C Server Side Encryption SSE KMS Server Side Encryption Server Startup via Systemd Store file with a Time To Live Structured Data Lake with SMQ and SQL Super Large Directories System Metrics TensorFlow with SeaweedFS Tiered Storage UrBackup with SeaweedFS Use Cases Volume Files Structure Volume Management Volume Server API WebDAV Words from SeaweedFS Users Worker fstab nodejs with Seaweed S3 rclone with SeaweedFS restic with SeaweedFS run HBase on SeaweedFS run Spark on SeaweedFS s3cmd with SeaweedFS weed shell
Clone
2
Server Side Encryption SSE C
chrislusf edited this page 2025-09-15 21:19:52 -07:00
Table of Contents

Server-Side Encryption with Customer-provided Keys (SSE-C)

With SSE-C, you bring your own keys and SeaweedFS does the heavy lifting. Your app sends the key with each request, and we encrypt/decrypt on the server side—without ever storing your key.

Overview

SSE-C gives you client-side key management with server-side encryption:

  • Client provides: AES-256 encryption key and MD5 hash
  • SeaweedFS handles: Encryption/decryption operations transparently
  • Security: Keys are never stored on the server

Required Headers

For all SSE-C operations, include these headers:

X-Amz-Server-Side-Encryption-Customer-Algorithm: AES256
X-Amz-Server-Side-Encryption-Customer-Key: <base64-encoded-256-bit-key>
X-Amz-Server-Side-Encryption-Customer-Key-MD5: <md5-of-key>

HTTP Examples

Upload Encrypted Object

# Generate a 256-bit key
KEY=$(openssl rand -base64 32)
KEY_MD5=$(echo -n "$KEY" | base64 -d | md5sum | cut -d' ' -f1)

# Upload encrypted object
curl -X PUT "http://localhost:8333/bucket/encrypted-file.txt" \
  -H "X-Amz-Server-Side-Encryption-Customer-Algorithm: AES256" \
  -H "X-Amz-Server-Side-Encryption-Customer-Key: $KEY" \
  -H "X-Amz-Server-Side-Encryption-Customer-Key-MD5: $KEY_MD5" \
  -H "Content-Type: text/plain" \
  --data "This content will be encrypted"

Download Encrypted Object

# Download and decrypt object (must use same key)
curl "http://localhost:8333/bucket/encrypted-file.txt" \
  -H "X-Amz-Server-Side-Encryption-Customer-Algorithm: AES256" \
  -H "X-Amz-Server-Side-Encryption-Customer-Key: $KEY" \
  -H "X-Amz-Server-Side-Encryption-Customer-Key-MD5: $KEY_MD5"

Get Object Metadata

# Get metadata for encrypted object
curl -I "http://localhost:8333/bucket/encrypted-file.txt" \
  -H "X-Amz-Server-Side-Encryption-Customer-Algorithm: AES256" \
  -H "X-Amz-Server-Side-Encryption-Customer-Key: $KEY" \
  -H "X-Amz-Server-Side-Encryption-Customer-Key-MD5: $KEY_MD5"

Copy Operations

# Copy encrypted object to new location (same key)
curl -X PUT "http://localhost:8333/bucket/copied-file.txt" \
  -H "x-amz-copy-source: /bucket/encrypted-file.txt" \
  -H "X-Amz-Server-Side-Encryption-Customer-Algorithm: AES256" \
  -H "X-Amz-Server-Side-Encryption-Customer-Key: $KEY" \
  -H "X-Amz-Server-Side-Encryption-Customer-Key-MD5: $KEY_MD5" \
  -H "x-amz-copy-source-server-side-encryption-customer-algorithm: AES256" \
  -H "x-amz-copy-source-server-side-encryption-customer-key: $KEY" \
  -H "x-amz-copy-source-server-side-encryption-customer-key-md5: $KEY_MD5"

# Copy encrypted object with different key
NEW_KEY=$(openssl rand -base64 32)
NEW_KEY_MD5=$(echo -n "$NEW_KEY" | base64 -d | md5sum | cut -d' ' -f1)

curl -X PUT "http://localhost:8333/bucket/reencrypted-file.txt" \
  -H "x-amz-copy-source: /bucket/encrypted-file.txt" \
  -H "X-Amz-Server-Side-Encryption-Customer-Algorithm: AES256" \
  -H "X-Amz-Server-Side-Encryption-Customer-Key: $NEW_KEY" \
  -H "X-Amz-Server-Side-Encryption-Customer-Key-MD5: $NEW_KEY_MD5" \
  -H "x-amz-copy-source-server-side-encryption-customer-algorithm: AES256" \
  -H "x-amz-copy-source-server-side-encryption-customer-key: $KEY" \
  -H "x-amz-copy-source-server-side-encryption-customer-key-md5: $KEY_MD5"

AWS CLI Usage

# Upload with SSE-C
aws s3 cp file.txt s3://mybucket/file.txt \
  --sse-c AES256 \
  --sse-c-key fileb://customer-key.bin

# Download with SSE-C
aws s3 cp s3://mybucket/file.txt downloaded-file.txt \
  --sse-c AES256 \
  --sse-c-key fileb://customer-key.bin

# Copy with SSE-C (same key)
aws s3 cp s3://mybucket/file.txt s3://mybucket/file-copy.txt \
  --sse-c AES256 \
  --sse-c-key fileb://customer-key.bin \
  --sse-c-copy-source AES256 \
  --sse-c-copy-source-key fileb://customer-key.bin

Error Codes

Error HTTP Status Description
InvalidEncryptionAlgorithmError 400 Algorithm must be "AES256"
InvalidArgument 400 Invalid key format or MD5 mismatch
InvalidRequest 400 Missing SSE-C headers

Common Issues

Wrong algorithm:

X-Amz-Server-Side-Encryption-Customer-Algorithm: AES128  # Error!

Invalid key length:

X-Amz-Server-Side-Encryption-Customer-Key: dGVzdA==      # Error! (too short)

Missing key for encrypted object:

curl http://localhost:8333/bucket/encrypted-file.txt     # Error!

Related Documentation

Introduction

API

Configuration

Filer

Filer Stores

Management

Advanced Filer Configurations

FUSE Mount

WebDAV

Cloud Drive

AWS S3 API

Server-Side Encryption

AWS IAM

Machine Learning

HDFS

Replication and Backup

Metadata Change Events

Messaging

Use Cases

Operations

Advanced

Security

Misc Use Case Examples