Enabling server-side encryption with Key Management Service (SSE-KMS) using the Scaleway console
This page explains how to use SSE-KMS with the Scaleway Console. To use it with the AWS CLI, refer to the dedicated documentation.
Server-Side Encryption with Key Management Service (SSE-KMS) is an encryption-at-rest option for Object Storage that uses a Key Management Service to handle encryption keys. It allows you to encrypt data when it is uploaded, and decrypt it when accessed, with your organization managing encryption keys (AES-256-GCM) through Scaleway's Key Manager.
When you use SSE-KMS, you set up a symmetric key encryption key (KEK) via Key Manager and associate that KEK with a bucket. This KEK encrypts and decrypts the data encryption keys (DEKs) that Object Storage uses to encrypt and decrypt the objects added to the bucket.
The KEK is generated, stored, and managed via Key Manager, whereas DEKs are generated and operated by Object Storage and encrypted by the KEK.
Both key types have associated security best practices:
Scaleway SSE-KMS behaves similarly to Server-side Encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS).
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- An Object Storage bucket (optional)
How to enable SSE-KMS during bucket creation
When you create a new Object Storage bucket, follow these steps to enable SSE-KMS:
-
Tick the Enable bucket encryption box and select the SSE-KMS encryption type.
-
Select a KMS key.
The KMS key that you select here is the key encryption key (KEK) mentioned above.
You have the following options:
-
Select an existing key: Use the drop-down to select a key that you set up earlier via Key Manager.
-
Create a new KMS key: Provide a name for your new key. When you click Create bucket, a new key is created and available for managing via Key Manager.
-
Following bucket creation, objects pushed to this bucket will be automatically encrypted at rest with your keys generated via Key Manager.
How to enable SSE-KMS on an existing bucket
-
Click Object Storage in the Storage section of the side menu. The list of your buckets displays.
-
Click the name of the desired bucket. The Overview tab displays.
-
Select the Settings tab.
-
Under Bucket encryption, click Edit encryption mode. A pop-up displays.
-
Tick the Enable bucket encryption box, then select SSE-KMS.
-
Select a KMS key. You have the following options:
-
Select an existing key: Use the drop-down to select a key that you set up via Key Manager earlier.
-
Create a new KMS key: Provide a name for your new key. When you click Confirm, a new key is created and available for managing via Key Manager.
The KMS key that you select here is the key encryption key (KEK) mentioned above.
-
-
Click Confirm.
New objects uploaded to this bucket will be automatically encrypted at rest with your keys generated via Key Manager.
How to disable SSE-KMS on an existing bucket
-
Click Object Storage in the Storage section of the side menu. The list of your buckets displays.
-
Click the name of the desired bucket. The Overview tab displays.
-
Select the Settings tab.
-
Under Bucket encryption, click Edit encryption mode. A pop-up displays.
-
Uncheck the Enable bucket encryption box.
-
Click Confirm. The Disable encryption for my bucket pop-up displays.
-
Type DISABLE, then click Confirm.
New objects uploaded to this bucket will not be encrypted. However, objects uploaded while SSE-KMS was enabled will remain encrypted.