Server side encryption with S3 (SSE-S3) is the easiest way to encrypt data at rest on S3. This is the recommended option when using encryption.
Encrypting user uploads with SSE-S3
Configure a user with
addsftpuser. When presented with encryption options, choose
Files transferred to the user's uploads directory will be encrypted with SSE-S3. These files will still be readable from the AWS console.
Uploading SSE-S3 encrypted files to other locations
You will need to use the AWS CLI if you want to encrypt files with SSE-S3 in other S3 locations, such as:
- A user's private download directory
- The shared download directory
This is the syntax to use:
aws s3api put-object \ --body file.txt \ --bucket sftpgateway-i-0123456789abcde \ --key testuser/downloads/file.txt \ --server-side-encryption AES256