Server side encryption with S3 (SSE-S3) is the easiest way to encrypt data at rest on S3. This is the recommended option when using encryption.

Encrypting user uploads with SSE-S3

Configure a user with addsftpuser. When presented with encryption options, choose 1 for SSE-S3.

Files transferred to the user's uploads directory will be encrypted with SSE-S3. These files will still be readable from the AWS console.

Uploading SSE-S3 encrypted files to other locations

You will need to use the AWS CLI if you want to encrypt files with SSE-S3 in other S3 locations, such as:

  • A user's private download directory
  • The shared download directory

This is the syntax to use:

aws s3api put-object \
  --body file.txt \
  --bucket sftpgateway-i-0123456789abcde \
  --key testuser/downloads/file.txt \
  --server-side-encryption AES256