Home Enterprise Amazon Allows Customers To Use Their Own Encryption Keys With S3

Amazon Allows Customers To Use Their Own Encryption Keys With S3

by Adam Armstrong

Today Amazon Web Services announced that it is enhancing S3 support for server-side encryption by allowing customers to provide their own keys. Up until now customers had the option of using either client-side encryption for data before it leaves the client environment or the use of server-side encryption, to protect data at rest. Today’s announcement enables customers to use keys that they maintain without the need to build, maintain, and scale their client-side encryption fleet.


Today Amazon Web Services announced that it is enhancing S3 support for server-side encryption by allowing customers to provide their own keys. Up until now customers had the option of using either client-side encryption for data before it leaves the client environment or the use of server-side encryption, to protect data at rest. Today’s announcement enables customers to use keys that they maintain without the need to build, maintain, and scale their client-side encryption fleet.

Amazon S3 continues to grow in use cases. S3 stores trillions of objects and processes more than a million requests per second for them. S3 has a number of notable users including Dropbox, reddit, Tumblr, Pinterest, and Minecraft. As the number of users and use-cases expand customers are continuing to request more ways to protect their data in motion and at rest.

This new feature allows customers to use and manage keys they provide. The feature is accessible via the S3 APIs and Amazon claims it is easy to use. Users supply their encryption key as part of PUT and S3 takes care of the rest. S3 takes the user’s key and applies AES-256 encryption to the data, computes a one-way hash (checksum) of the key, and then removes the key from memory. When the object is needed, users supply the key as part of GET and S3 decrypts and returns the object and once again removes the key from memory.

Key management is up to the user. Users must make sure they are using the proper keys with the proper objects; this also applies to the use of S3’s versioning feature. Keys can be stored on-premises or customers can use AWS Cloud HSM. If one wishes to transfer the object to glacier they would first have to supply the key and restore the object to S3. Customers can change the key associated with an object by using S3’s COPY operation.

Availability and pricing

The new feature is available today for no extra cost to S3 users.

Customer-provided key documents

Discuss this story

Sign up for the StorageReview newsletter