Skip to navigationSkip to main contentSkip to footerScaleway DocsAsk our AI
Ask our AI
Log inSign up

Using Secret Manager to store encryption key for SSE-C

object-storage
secret-manager
encryption

This tutorial explains how to use Key Manager and Secret Manager to generate and store an encryption key for SSE-C, used to encrypt and decrypt objects in your Scaleway Object Storage bucket.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • Created an Object Storage bucket
  • Installed and initialized the AWS CLI

The goal of this tutorial is to:

  • Generate an encryption key using Key Manager
  • Store it securely in Secret Manager
  • Use it to encrypt your Object Storage objects with SSE-C

Generating the encryption key

  1. Open a terminal and create a key in Key Manager:

    KEY_ID=$(scw keymanager key create -o template="{{.ID}}")

  2. Run the following command to generate a data encryption key:

    scw keymanager key generate-data-key "$KEY_ID" -o json | jq -r .plaintext | base64 -d > ssec.key

  3. Create a secret in Secret manager to store the data encryption key:

    SECRET_ID=$(scw secret secret create name=ssec-key path=/keys -o template="{{.ID}}")

  4. Store the data encryption key in Secret Manager:

    scw secret version create "$SECRET_ID" data="@ssec.key"

Preparing the encryption key and its digest

You must now retrieve the encryption key from Secret Manager, encode it to base64, compute its MD5 digest, and store both values in environment variables.

  1. Access the secret version to retrieve the raw key:

    scw secret version access "$SECRET_ID" revision=latest raw=true > ssec.key

  2. Encode the key to base64:

    ENCRYPTION_KEY=$(cat ssec.key | base64)

  3. Compute the MD5 digest of the key:

    KEY_DIGEST=$(openssl dgst -md5 -binary ssec.key | base64)
Important

If you delete the secret containing the encryption key, you also lose the data encrypted with it, as you will not be able to perform GET operations on encrypted objects without the corresponding key.

Upload and download objects with SSE-C

  1. Upload an object of your choice to your bucket and encrypt it. Make sure that you replace:

    • <bucket-name> with the name of your bucket
    • <object-key> with the desired name of the object in the bucket
    • <path/to/your/file> with the path to the file you want to upload
    aws s3api put-object \
  --bucket <bucket-name> \
  --key <object-key> \
  --body <path/to/your/file> \
  --sse-customer-algorithm AES256 \
  --sse-customer-key $ENCRYPTION_KEY \
  --sse-customer-key-md5 $KEY_DIGEST

  2. Download the previously uploaded object and decrypt it. Make sure that you replace:

    • <bucket-name> with the name of your bucket
    • <object-key> with the name of your object in the bucket
    • <path/to/your/file> with the local path where you want to save the file
    aws s3api get-object \
  --bucket <bucket-name> \
  --key <object-key> \
  <path/to/destination/file> \
  --sse-customer-algorithm AES256 \
  --sse-customer-key $ENCRYPTION_KEY \
  --sse-customer-key-md5 $KEY_DIGEST

You now know how to use Key Manager and Secret Manager to generate, store, and use an encryption key to protect your Object Storage data with SSE-C.

Refer to the dedicated documentation for more information on how to use SSE-C for Scaleway Object Storage.

Questions?

Visit our Help Center and find the answers to your most frequent questions.

Visit Help Center
No Results