Three types of SSE supported.
- SSE-C - client provides data encryption key for every get/put object calls. AWS S3 does not store client provided data encryption key. Client provided data encryption key may be generated by AWS KMS for every get/put object calls. It is user responsibility to securely save/map data encryption keys generated by KMS and AWS S3 does not store any data encryption key.
- SSE-S3 - client does not provide any encryption key for any get/put object calls. AWS S3 uses one single key (generated at first time) to encrypt/decrypt objects. Accordingly AWS docs, this key is stored along with object data.
- SSE-KMS - client provides Customer Master Key (CMK) for any get/put object calls. AWS S3 uses client's provided CMK to generate data keys using KMS to encrypt/decrypt objects. This data key is encrypted using KMS and is stored along with object data.
Below bucket policy prevents uploading unencrypted objects (even by owner/auth user).
- SSE-KMS:
{
"Version":"2012-10-17",
"Id":"PutObjPolicy",
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::YourBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"aws:kms"
}
}
}
]
}- SSE-S3:
{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::YourBucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::YourBucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}- KMS provides API to create Customer Master Key (CMK) which is not retrievable.
- KMS provides APIs to encrypt/decrypt data of max. 4KiB size.
- KMS provides APIs to generate data keys using CMK.
- KMS is not a vault i.e. there is no way user generated keys (even data keys generated by KMS) are stored in KMS.
- KMS uses HSMs underneath.
- KMS is a general purpose key management service it can be hooked into any AWS services like S3 (or even services outside of AWS).
- In simple words, it is encrypted key/value store.
- All keys/values are stored in vault. It comes with default expiry time and sealing/unsealing.
- It also provides ecnrypt/decrypt functions like AWS KMS.
- By default, it is not HA and fault tolerance. The recommendation is to use Consul as data store which provides HA and fault tolerance.
- It is encrypted key/value store along with AWS KMS features.
- It uses HSM to perform encrypt/decrypt operations.
- It is same as Hashicorp Vault written in Java.
https://gist.github.com/maxvt/bb49a6c7243163b8120625fc8ae3f3cd is nice work of comparing various key management systems.
@aead
The point says same thing other than
I don't think soor I am not able to understand your comment.KMS uses HSMsis from AWS. Could you point me where AWS says it is not used in AWS KMS?Note that this gist does not say anything about SSE design in minio server and it is not the goal here.