SSE-C: Server-Side Encryption with Customer-Provided Encryption Keys
In SSE-C, the client supplies the secret key needed to read and write data.
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
SSE-C integration with Hadoop is still stabilizing; issues related to it are still surfacing. It is already clear that SSE-C with a common key must be used exclusively within a bucket if it is to be used at all. This is the only way to ensure that path and directory listings do not fail with "Bad Request" errors. |
Enabling SSE-C
To use SSE-C, the configuration option
fs.s3a.server-side-encryption-algorithm must be set to
SSE-C, and a base-64 encoding of the key placed in
fs.s3a.server-side-encryption.key.
<property> <name>fs.s3a.server-side-encryption-algorithm</name> <value>SSE-C</value> </property> <property> <name>fs.s3a.server-side-encryption.key</name> <value>RG8gbm90IGV2ZXIgbG9nIHRoaXMga2V5IG9yIG90aGVyd2lzZSBzaGFyZSBpdA==</value> </property>
This property can be set in a Hadoop JCEKS credential file, which is significantly more secure than embedding secrets in the XML configuration file.