AWS S3: is SSE-S3 envelope encryption?

1
votes

Here is the encryption flow of Server-side encryption with S3 managed keys (SSE-S3)

enter image description here

(this picture is from Oreilly)

  1. The client selects their object(s) to upload to S3 and indicates the encryption mechanism of SSE-S3 during this process.
  2. S3 then takes control of the object and encrypts it with a plaintext data key that's generated by S3. The result is an encrypted version of the object, which is then stored within your chosen S3 bucket.
  3. The plaintext data key that used to encrypt the object is then encrypted with an S3 master key, resulting in an encrypted version of the key. This now encrypted key is also stored on S3 and has an association to the encrypted data object. Finally, the plaintext data key is removed from memory in S3.

As you can see, SSE-S3 use a unique data key to encrypt the object, rather than the master key.

I heard a lot that SSE-KMS is envelope encryption, my question is:

Is SSE-S3 envelop encryption too?

Reference

  1. Stack Overflow: Does AWS KMS use envelope encryption?
  2. AWS KMS Envelope Encryption
1
amazon-web-servicesamazon-s3encryption

1 Answers

0
votes

AWS Encryption-At-Rest(server-side encryption) uses Envelope Encryption irrespective of what key is used. Not just for S3, for every service at AWS. Here is a nice blog about it.

Only difference is who manages data key and encryption key.

  • SSE-S3 Both keys are managed by AWS
  • SSE-KMS We manage CMK, where as AWS manages data key. Gives us more control on rotation, access, etc.
  • SSE-C We manage both encryption key and data key(we can choose to not use data key but use same key), we provide data key and algorithm, AWS encrypts for us and we need to keep track of which key is used for which object.