Enabling server-side encryption with Key Management Service (SSE-KMS) using the AWS CLI

This page explains how to use SSE-KMS with the AWS CLI. To use it with the Scaleway console, refer to the dedicated documentation.

Server-Side Encryption with Key Management Service (SSE-KMS) is an encryption-at-rest option for Object Storage that uses a Key Management Service to handle encryption keys. It allows you to encrypt data when it is uploaded, and decrypt it when accessed, with your organization managing encryption keys (AES-256-GCM) through Scaleway's Key Manager.

When you use SSE-KMS, you set up a symmetric key encryption key (KEK) via Key Manager and associate that KEK with a bucket. This KEK encrypts and decrypts the data encryption keys (DEKs) that Object Storage uses to encrypt and decrypt the objects added to the bucket.

The KEK is generated, stored, and managed via Key Manager, whereas DEKs are generated and operated by Object Storage and encrypted by the KEK.

Both key types have associated security best practices:

• Regularly rotate your KEK
• Secure your DEKs

Scaleway SSE-KMS behaves similarly to Server-side Encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS).

When it comes to setting up your key architecture, the recommended practice is to always set default bucket encryption by enabling a Bucket Key via PutBucketEncryption. When this is active and you have configured SSE‑KMS, Object Storage automatically creates a Bucket Key that is encrypted with your KMS key (the KEK). The Bucket Key, in turn, encrypts the per‑object data encryption keys (DEKs) that protect the actual object data.

In cases when you have some objects that are stored without SSE‑KMS, you can:

• Re‑upload an object and enable SSE‑KMS for that specific object upload
• Copy an object using the same bucket as the source and the destination and enable SSE‑KMS for that specific copy operation

Before you start

To complete the actions presented below, you must have:

• A Scaleway account logged into the console
• Owner status or IAM permissions allowing you to perform actions in the intended Organization
• An Object Storage bucket
• Installed and initialized the AWS CLI

Enabling SSE-KMS for an object upload

In a terminal, run the following command. Remember to replace placeholders with actual values.

aws s3api put-object \
--bucket <your-bucket-name> \
--key <your-object-key> \
--server-side-encryption aws:kms \
--bucket-key-enabled 
--ssekms-key-id <your-kms-key-id> \ 
--body <path-to-file-to-upload>

An output similar to the following displays:

{
"ETag": "\"<object-metadata>\"",
"ChecksumCRC64NVME": "<checksum-value>",
"ChecksumType": "FULL_OBJECT",
"ServerSideEncryption": "aws:kms",
"SSEKMSKeyId": "<your-kms-key-id>",
"BucketKeyEnabled": true
}

Enable SSE‑KMS for a specific copy operation

In a terminal, run the following command. Remember to replace placeholders with actual values.

aws s3api copy-object \
--copy-source <your-bucket-name>/<your-object-filename> \
--key <your-object-key> \
--bucket <your-bucket-name> \
--server-side-encryption aws:kms \
--bucket-key-enabled \
--sse-kms-key-id <your-kms-key-id>

An output similar to the following displays:

{
    "ServerSideEncryption": "aws:kms",
    "SSEKMSKeyId": "<your-kms-key-id>",
    "BucketKeyEnabled": true,
    "CopyObjectResult": {
        "ETag": "\"<object-metadata>\"",
        "LastModified": "yyyy-MM-ddTHH:mm:ss.SSSZ",
        "ChecksumCRC64NVME": "<checksum-value>"
    }
}