AWS Key Management Service (KMS) is one option for managing your encryption keys for SSE. This gives you slightly more control than SSE-S3, but also requires a little bit of configuration on your part.

Create a KMS key

To use KMS with SFTP Gateway, you have to first create a key within IAM.

  • Go to IAM > Encrypt Keys
  • Click Create Key
  • Step through the wizard until you reach the Define Key Usage Permissions page
  • Check the box next to the role for your EC2 instance. (If you're not sure which one, you can find this in the EC2 instance details)
  • Finish the wizard for creating the KMS key

Once you have a KMS key, copy the arn.

Encrypting user uploads with KMS

Configure a user with addsftpuser. When presented with encryption options, choose 2 for KMS. Then provide the arn of the KMS key.

Files transferred to the user's uploads directory will be encrypted with KMS. These files will still be readable from the AWS console.

Uploading KMS-encrypted files to other locations

You will need to use the AWS CLI if you want to encrypt files with KMS in other S3 locations, such as:

  • A user's private download directory
  • The shared download directory

This is the syntax to use:

aws s3api put-object \
  --body file.txt \
  --bucket sftpgateway-i-0123456789abcde \
  --key testuser/downloads/file.txt \
  --server-side-encryption aws:kms \
  --ssekms-key-id arn:aws:kms:us-east-1:123456789012:key/abcdefghi-0123-4567-abcd-0123456789