As always we are adding features that our customers are requesting or newly introduced by cloud storage service providers. This time we decided to add a new PowerShell command that will help to set a custom encryption key for Server Side Encryption (SSE-C) provided by Amazon S3.
|Download CloudBerry Explorer Freeware|
Previously Amazon S3 performed encryption key generation for you and applied server-side encryption for your data, and decryption happened automatically when data is retrieved.
With Amazon S3 SSE-C you can encrypt data on upload using your personal encryption key enhancing the security of storing sensitive data. To download SSE-C encrypted data you will be required to specify the encryption key.
Amazon promises and guarantees that your keys aren't stored in S3 and will be used only at the requested moment. Requirements to a key: 256-bit key for AES-256.
We added a new SSE-C functionality in PowerShell.
How to use SSE-C encryption:
1. Generate 256-bit encryption key – this example demonstrates key generation using password-based key derivation functionality PBKDF2.
$salt = [byte] (1,2,3,4,5,6,7,8)
$password = "My$Super9Password"
$binaryKey=(New-Object System.Security.Cryptography.Rfc2898DeriveBytes([System.Text.Encoding]::UTF8.GetBytes($password), $salt, $iterations)).GetBytes(32)
$base64Key = [System.Convert]::ToBase64String($binaryKey)
IMPORTANT NOTE: $password is just an example value. Make sure to use your personal characters sequence.
2. Copy data from local to Amazon S3 with SSE-C using generated key:
3. Download SSE-C encrypted file from Amazon S3:
The SSE-C support is also added for other commands like Move-CloudItem, Rename-CloudItem etc.
Find more details at Powershell Snap-In.
As always we would be happy to hear your feedback and you are welcome to post a comment.