Issues with S3 Encryption Type · SFTP Gateway Support

Overview

For SFTP Gateway version 3 (specifically, versions 3.0.0 through 3.2.1), there are a number of issues with the S3 encryption types under the AWS Cloud Connection.

We are currently working on a fix, which will be included in the 3.3.0 version update coming later this month (March 2022).

SSE-S3

The SSE-S3 encryption type in SFTP Gateway refers to the default service-level encryption for the S3 service.

In AWS, there are two service-level encryption types:

SSE-S3
SSE-KMS

Although SFTP Gateway v3 is using a S3 service-level encryption, it is using SSE-KMS (not SSE-S3).

In most cases, this will not have any significant impact. The files stored on S3 are still encrypted at rest.

However, there are two edge cases where customers will face issues:

Custom applications trying to access files on S3 will need to be updated to specify signature version 4 (a requirement of KMS) when making API calls to AWS S3.
Likewise, files made publicly available on S3 cannot be accessed. This is because the signature version 4 requirement cannot be met by the web browser.

No Encryption

If you are encountering signature version 4 issues, your first instinct may be to work around the issue by setting the Encryption Type to No Encryption. However, there is an issue with this setting as well at the moment.

The Java backend is running into an issue recognizing the No Encryption type. As a result, SFTP users will encounter errors when trying to upload files.

To test whether your version is affected, click the Test Connection button at the bottom of your Cloud Connection detail page. You may see a red "X" next to the write permission.

Status of the Issues

We recognize these issues, and are currently working on fixes that are on track to be released with version 3.3.0 later this month (March 2022).