You can provide your own key for server-side encryption. However, only do this if you have a specific compliance requirement. SSE-C is more difficult to manage, and there's a risk of data loss if you misplace your key.

Note: It's recommended to use SSE-S3 or KMS whenever possible. When using SSE-C, you are responsible for managing encryption keys, and for tracking which key was used for each object. The following sections are suggestions on using the AWS CLI. But it is up to you to thoroughly test your workflow and safeguard against data loss.

Generating a custom key

You will need a Base64 Encoded AES-256 Key, which looks something like this:

fS9LLRGAy8twrmcPSjhT9d0IhWPq4mhY93dFD5uaMEs=

(This is just an example, please use a real key)

There are various methods to generate one, but you use this website for testing purposes.

Also, you cannot upload encrypted files via the S3 console. Encryption is handled via the AWS CLI or API.

Encrypting user uploads with SSE-C

Configure a user with addsftpuser. When presented with encryption options, choose 3 for SSE-C. Then provide your Base64 encoded AES-256 key.

Files transferred to the user's uploads directory will be encrypted with SSE-C.

S3 console behavior when using SSE-C

When using SSE-C, the S3 console will behave strangely. However, this is expected.

  • On the object detail page, you will not see anything under Server side encryption.
  • At the bottom of the object detail page, you will see an error: Error: an unexpected error occurred
  • You cannot move nor copy objects encrypted with SSE-C

Uploading SSE-C encrypted files to a private download directory

This section covers the following scenario:

  • You need to upload a file to the user's private download directory on S3
  • This file needs to be encrypted with a custom key
  • The file needs to be decrypted when synced back down to the server

Elevate your permissions to root:

sudo su

Set the sse sync option in the user's properties file:

vi /home/testuser/.sftpgateway/user.properties
sse.sync.option=3

Create an sse sync key.

echo "fS9LLRGAy8twrmcPSjhT9d0IhWPq4mhY93dFD5uaMEs=" | base64 -d > /home/testuser/.sftpgateway/sse-sync.key

Upload a file to the user's private download directory (replace the user and bucket names).

echo "testing123" > test.txt
aws s3api put-object 
  --body   test.txt                        \
  --bucket sftpgateway-i-0123456789abcdefg \
  --key    testuser/downloads/test.txt     \
  --sse-customer-algorithm AES256          \
  --sse-customer-key fileb:///home/testuser/.sftpgateway/sse-sync.key

You should see the encrypted file in S3.

After a few minutes, you should also see the decrypted file in /home/testuser/home/testuser/downloads/

Uploading SSE-C encrypted files to the shared download directory

This section covers the following scenario:

  • Multiple users need access to the same set of files
  • These files need to be encrypted with a custom key
  • The file needs to be decrypted when synced back down to the server

Since the shared directory is accessed by multiple users, the root user should hold the custom key for encrypting and decrypting files.

Run the following commands:

sudo su
mkdir -p /root/.sftpgateway/
echo "sse.sync.option=3" > /root/.sftpgateway/user.properties
echo "fS9LLRGAy8twrmcPSjhT9d0IhWPq4mhY93dFD5uaMEs=" | base64 -d > /root/.sftpgateway/sse-sync.key

You configure the root user with option 3 for SSE-C. You also generate the sse-sync.key file which is used to decrypted shared files (make sure you use an actual key).

To test this, upload a file to your shared directory on S3 (make sure you use your actual bucket name):

echo "testing123" > test.txt
aws s3api put-object --body   test.txt                        \
                     --bucket sftpgateway-i-0123456789abcdefg \
                     --key    shared/test.txt                 \
                     --sse-customer-algorithm AES256          \
                     --sse-customer-key fileb:///root/.sftpgateway/sse-sync.key

In the S3 console, you should see a file in the shared directory of the default bucket.

In a few minutes, you should see the file in /opt/sftpgw/shared, as well as each user's shared directory: /home/<user>/home/<user>/shared/