update for SSE

Server-Side-Encryption-SSE-KMS.md

@@ -1,6 +1,7 @@
 # SSE-KMS: Server-Side Encryption with Key Management Service
 
-SeaweedFS SSE-KMS supports multiple external Key Management Service providers for enterprise-grade encryption key management. This guide covers setup and configuration for AWS KMS, Google Cloud KMS, and OpenBao/Vault.
+SeaweedFS SSE-KMS supports multiple external Key Management Service providers for enterprise-grade encryption key management. This guide covers setup and configuration for AWS KMS, Google Cloud KMS, OpenBao/Vault.
+and Azure Key Vault (experimental, build tag `azurekms`).
 
 ## Supported KMS Providers
 
@@ -9,7 +10,7 @@ SeaweedFS SSE-KMS supports multiple external Key Management Service providers fo
 | **AWS KMS** | Full support | AWS-centric deployments |
 | **Google Cloud KMS** | Full support | GCP-centric deployments |
 | **OpenBao/Vault** | Full support | Hybrid/on-premises environments |
-| **Azure Key Vault** | Planned | Future Azure deployments |
+| **Azure Key Vault** | Experimental (build tag `azurekms`) | Azure-centric deployments |
 
 ## Quick Start Guide
 
@@ -208,14 +209,31 @@ aws s3 cp file.txt s3://mybucket/file.txt \
 
 ---
 
-## Azure Key Vault Integration
+## Azure Key Vault Integration (Experimental)
 
-**Status**: Planned (not yet implemented)
+Azure Key Vault support exists behind the build tag `azurekms` and is considered experimental. To enable it, build SeaweedFS with the tag and configure the provider:
 
-Azure Key Vault integration is planned for future releases. When available, it will support:
-- Azure AD authentication
-- HSM-backed keys  
-- Integration with Azure Monitor
+```bash
+# Build with Azure KMS support (example)
+go build -tags azurekms ./weed
+```
+
+```json
+{
+  "kms": {
+    "providers": {
+      "azure": {
+        "type": "azure",
+        "vault_url": "https://<your-vault>.vault.azure.net/",
+        "tenant_id": "<tenant>",
+        "client_id": "<client>",
+        "client_secret": "<secret>",
+        "use_default_creds": false
+      }
+    }
+  }
+}
+```
 
 ---
 

Server-Side-Encryption.md

@@ -1,6 +1,6 @@
 # Server-Side Encryption (SSE)
 
-SeaweedFS supports AWS S3-compatible server-side encryption to protect data at rest. Two encryption methods are available, each offering different levels of control over encryption keys and management.
+SeaweedFS supports AWS S3-compatible server-side encryption to protect data at rest. Three encryption methods are available, each offering different levels of control over encryption keys and management.
 
 ## Overview
 
@@ -8,13 +8,14 @@ SeaweedFS supports AWS S3-compatible server-side encryption to protect data at r
 |------------------|----------------|----------|
 | **SSE-KMS** | External KMS providers | Enterprise key management, audit trails |
 | **SSE-C** | Customer-provided | Full customer control, regulatory compliance |
+| **SSE-S3** | SeaweedFS-managed | Simple server-managed encryption, bucket defaults |
 
 ## Encryption Types
 
 ### SSE-KMS (Server-Side Encryption with Key Management Service)
 - **Best for**: Enterprise environments with external KMS infrastructure
-- **Key management**: External providers (AWS KMS, Google Cloud KMS, OpenBao/Vault)
-- **Features**: Centralized key management, detailed audit logs, per-bucket key assignment
+- **Key management**: External providers (AWS KMS, Google Cloud KMS, OpenBao/Vault, Azure Key Vault [experimental])
+- **Features**: Centralized key management, detailed audit logs, per-bucket key assignment, optional Bucket Key optimization
 - **Configuration**: Requires KMS provider setup in S3 config
 - **Documentation**: [SSE-KMS Guide](Server-Side-Encryption-SSE-KMS.md)
 
@@ -25,6 +26,12 @@ SeaweedFS supports AWS S3-compatible server-side encryption to protect data at r
 - **Configuration**: Keys provided via HTTP headers
 - **Documentation**: [SSE-C Guide](Server-Side-Encryption-SSE-C.md)
 
+### SSE-S3 (Server-Managed Keys)
+- **Best for**: Simple, fully managed encryption with minimal configuration
+- **Key management**: SeaweedFS-managed keys with automatic key handling
+- **Features**: Works with explicit `x-amz-server-side-encryption: AES256` and bucket default encryption; supports multipart uploads and range requests
+- **Configuration**: Optional bucket-level default encryption via standard S3 bucket encryption API
+
 ## Quick Start
 
 ### SSE-KMS (Enterprise)
@@ -47,6 +54,13 @@ aws s3 cp file.txt s3://mybucket/file.txt \
   --sse-c-key fileb://customer-key.bin
 ```
 
+### SSE-S3 (Server-Managed)
+```bash
+# Explicit SSE-S3 on upload (or configure bucket default encryption)
+aws s3 cp file.txt s3://mybucket/file.txt \
+  --server-side-encryption AES256
+```
+
 ## Configuration
 
 ### Basic Setup
@@ -90,7 +104,7 @@ weed s3 -config=s3_kms_config.json
 - Multipart uploads with consistent encryption
 - Cross-encryption copy operations
 - Object metadata preservation
-- Range requests (SSE-KMS only; SSE-C does not support range requests)
+- Range requests for SSE-C, SSE-KMS, and SSE-S3
 
 **AWS S3 Compatibility:**
 - Identical API behavior and headers
@@ -99,10 +113,8 @@ weed s3 -config=s3_kms_config.json
 
 ## Implementation Notes
 
-- **SSE-KMS**: Supports AWS KMS, Google Cloud KMS, OpenBao/Vault
+- **SSE-KMS**: Supports AWS KMS, Google Cloud KMS, OpenBao/Vault; Azure Key Vault is available behind the `azurekms` build tag (experimental)
 - **SSE-C**: Full support with security best practices
-- **Azure Key Vault**: Not yet implemented (planned)
-
-**Note**: SSE-S3 (server-managed keys) is currently in development and not yet production-ready.
+- **SSE-S3**: Supported with SeaweedFS-managed keys and bucket default encryption
 
 For detailed setup guides, examples, and configuration options, see the individual encryption method documentation linked above.