S3 Data Encryption – SSE-C and SSE-S3

Owned by Tran Khanh Ngoc
Sept 13, 2024
2 min read

Overview

  • With the increasing security threats and stricter legal requirements, it is essential to always implement strong measures to secure data transit. This includes not only data in transit but also data at rest.

  • Protecting data stored on physical devices or in the cloud is a crucial part of any organization's IT security strategy. In this context, there are two main approaches to encrypting this data: client-side encryption (CSE) and server-side encryption (SSE).

    • Client-side encryption (CSE) allows customers to encrypt their data on their own devices before sending it to the Fstorage server for storage. This ensures that the data remains encrypted throughout its entire lifecycle, providing a high level of security because the encryption keys are managed by the customer and are never shared with Fstorage or any third parties. This approach requires customers to carefully manage their keys, but it is an ideal solution for those who require full control over their data security.

    • Server-side encryption (SSE) provides an alternative solution where data is encrypted when it reaches the Fstorage server. This is the responsibility of Fstorage, significantly reducing the security management burden on customers. There are two methods of server-side encryption:

      • SSE-C - Server-Side Encryption with Customer Keys: Customers can provide and manage their own encryption keys, giving them full control over data security. This option is particularly suitable for organizations with specific compliance and data security needs, as it allows exclusive management of encryption keys.

    • HIGIO S3 does not store your keys. If the key is lost, all data will be lost, and there is no way to recover it.

      • SSE-S3 - Server-Side Encryption with HI GIO S3 Cloud-Managed Keys (in development): This simplifies the encryption process by using keys managed by Fstorage. This method is ideal for customers who want a robust encryption solution without the complexities of key management. It integrates the use of KMS (Key Management Service).