VAST Cluster can perform server-side encryption (SSE) of S3 data at rest with the encryption keys provided by the client (SSE-C).
With SSE-C, the client provides and manages an encryption key used to encrypt the S3 objects at their destination. The cluster holds the key only for the time needed to handle the request and does not store it persistently. When accessing an encrypted object, the client is expected to provide the same encryption key as the one used to encrypt the object.
Caution
If the client fails to provide the same encryption key, the encrypted data cannot be decrypted. The VAST cluster does not provide any recovery procedures for such data.
The following operations may involve SSE-C encryption:
GetObject
HeadObject
PutObject
CreateMultipartUpload
UploadPart
CopyObject
CopyPart
UploadPartCopy
Presigned POST
The client is expected to use the x-amz-server-side-encryption-customer-* headers to pass an 256-bit, base64-encoded encryption key, the encryption algorithm to be used and the unencrypted key checksum with each request that requires encryption of the object at its destination. For each CreateMultipartUpload request, all the subsequent UploadPart requests must contain the same values in the headers as the CreateMultipartUpload request.
Support for S3 SSE-C is enabled by default. No manual configuration is needed.
The following rules and limitations apply:
If an S3 request contains an
x-amz-server-side-encryption-customer-*header, it is required to use HTTPS for the request to be accepted by the cluster.Only AES256 encryption algorithm is supported.
Objects encrypted with SSE-C cannot be accessed through other access protocols.
For replication environments, it is strongly recommended to avoid using SSE-C unless all of the clusters involved support SSE-C.