- May 2, 2014
Amazon e-mailed this to me today. Taking steps to ensure the privacy of SSE-C for free-tiers. Amazon Masternodes reach a new level of security.
Dear Amazon S3 Customer,
Amazon S3 now supports server side encryption with customer-provided keys (SSE-C), a new encryption option for Amazon S3. When using SSE-C, Amazon S3 encrypts your objects with the custom encryption keys that you provide. Since Amazon S3 performs the encryption for you, you get the benefits of using your encryption keys without the cost of writing or executing your own encryption code.
Until now, in order to use your own encryption keys, you needed to encrypt your data client-side prior to uploading them to Amazon S3. With SSE-C, you now have the option to securely store your data using keys that you manage, without having to build client-side encryption infrastructure.
To use SSE-C, simply include your custom encryption key in your upload request, and Amazon S3 encrypts the object using that key and securely stores the encrypted data at rest. Similarly, to retrieve an encrypted object, provide your custom encryption key, and Amazon S3 decrypts the object as part of the retrieval. Amazon S3 doesn't store your encryption key anywhere; the key is immediately discarded after S3 completes your requests.
You can learn how to use SSE-C today by visiting "Using SSE with Customer-provided Keys" in the Amazon S3 Developer Guide.
The Amazon S3 Team