Using S3 Server Side Encryption with SFTP Gateway

You can encrypt your files at rest when stored on S3. There are three encryption options, but it's highly recommended to use SSE-S3 because it's by far the easiest to configure and manage.

Background on SSE

With S3, file encryption happens at the object level. Normally, you would include encryption options at the time you upload your file. This can be cumbersome, because you would have to supply encryption parameters at the command line.

SFTP Gateway lets you configure these encryption options at the user level. File uploaded to S3 will be encrypted with that user's encryption setting.


This is the recommended option for server side encryption. The S3 service manages the keys used to encrypt and decrypt your files. The S3 service will seamlessly decrypt the file for you, so long as you have read permissions.


This is similar to SSE-S3, except that you provide your own KMS key. KMS serves as a master key over all the individual keys associated with each S3 object. You supply the master key, and AWS takes care of the rest.


File encryption happens at the object level. And each object can be encrypted with a different key. With SSE-C, you manage which keys are used for each S3 object. This can be labor intensive and error prone -- if you lose a key, nobody (including AWS) can ever decrypt your S3 object. Only use this option if absolutely necessary.