IBM Cloud Docs
Server-Side Encryption with Customer-Provided Keys (SSE-C)

Server-Side Encryption with Customer-Provided Keys (SSE-C)

SSE-C is enforced on objects. Requests to read or write objects or their metadata that use customer-managed keys send the required encryption information as headers in the HTTP requests. The syntax is the same as the S3 API, and S3-compatible libraries that support SSE-C work as expected against IBM Cloud® Object Storage.

Any request that uses SSE-C headers must be sent by using SSL. The ETag values in response headers are not the MD5 hash of the object, but a randomly generated 32-byte hexadecimal string.

A typical PUT object request can make use of the following headers:

Header Type Description
x-amz-server-side-encryption-customer-algorithm String This header is used to specify the algorithm and key size to use with the encryption key stored in x-amz-server-side-encryption-customer-key header. This value must be set to the string AES256.
x-amz-server-side-encryption-customer-key String This header is used to transport the base 64 encoded byte string representation of the AES 256 key used in the server-side encryption process.
x-amz-server-side-encryption-customer-key-MD5 String This header is used to transport the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. The object store uses this value to validate the key passes in the x-amz-server-side-encryption-customer-key has not been corrupted during transport and encoding process. The digest must be calculated on the key BEFORE the key is base 64 encoded.

A cURL command might look like the following:

curl -v -T $FILE https://$ENDPOINT/$BUCKET  \
   -H "Authorization: bearer $TOKEN" \
   -H "Content-MD5: $MD5_OBJECT_HASH" \
   -H "x-amz-server-side-encryption-customer-algorithm: AES256" \
   -H "x-amz-server-side-encryption-customer-key:$ENCRYPTION_KEY" \
   -H "x-amz-server-side-encryption-customer-key-MD5:$MD5_KEY_HASH"