Use your own encryption keys for Amazon S3 storage

Amazon Web Services has some good news for users of S3, its popular online file storage web service: they can now use their own encryption keys to protect their data at rest.

“As the number of use cases for S3 has grown, so have the requests for additional ways to protect data in motion (as it travels to and from S3) and at rest (while it is stored),” Jeff Barr, Chief Evangelist for the Amazon Web Services, explained in a blog post on Thursday.

“The first requirement is met by the use of SSL, which has been supported by S3 from the very beginning. There are several options for the protection of data at rest. First, users of the AWS SDKs for Ruby and Java can also use client-side encryption to encrypt data before it leaves the client environment. Second, any S3 user can opt to use server-side encryption.”

Then he announced that S3’s server-side encryption now comes with the option of users providing their own encryption keys.

“You now have a choice – you can use the existing server-side encryption model and let AWS manage your keys, or you can manage your own keys and benefit from all of the other advantages offered by server-side encryption.”

More details about how to use your own keys and how to manage it can be found here.

Some security experts have expressed their doubts about the security of server-side encryption, but Barr tried to assure them that the users’ key is passed in with their PUT object, and that S3 forgets the key after encrypting and storing the data.

Others have pointed out that server-side anything can’t be trusted by clients, and that advertising server-side encryption gives a false sense of security to users. Others still have pointed out that it’s better to encrypt everything on the client side.