Choosing S3 Encryption Type

When you use S3 Storage Encryption:

  • The communication from FileCloud to AWS will use SSL encryption resulting in complete protection for data in transit.
  • Once the S3 is setup correctly, a new field called S3 Encryption will be available under Amazon S3 Storage Settings.

FileCloud supports the following Server Side Encryption types:

  • Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
    All data is encrypted at rest using AES256 bit encryption. The data can only be accessed using the supplied key/secret credentials. The data will be accessible via S3 Console 
    NoteEven though the encrypted data is accessible directly from the S3 console, do not access the data if it was created by FileCloud Managed storage, as doing so will cause data corruption to occur. In this case, the data should only be modified by FileCloud.

  • Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)

Similar to SSE-S3 but the key itself is managed using Amazon's KMS service. This allows management of specific keys and their permissions for encrypting the data. The data is still encrypted at rest and is accessible via S3 Console with appropriate credentials.

  • Server-Side Encryption with Customer-Provided Keys (SSE-C)
    The data is encrypted using the customer supplied 32 bit encryption key. This option has SLOWER performance due to restrictions on how this data can be decrypted (Amazon server is NOT be able to decrypt the data; the data has be first downloaded to FileCloud server and then decrypted). The data is NOT accessible via S3 console as well.
    Notes:
    • When you choose SSE-C, any backups created before it was chosen will become invalid, and therefore that data will not be recoverable.
    • When SSE-C encryption is enabled, optimized upload is not available for S3 storage and S3 networks. 

WARNINGS:

  • Enabling encryption will start a process that attempts to encrypt all available data in the bucket as well as all new data.
  • This process can take some time depending on the amount of existing data in the bucket.
  • It is recommended that you modify the encryption setting when there is minimal activity on the FileCloud Server.

Although changing the Encryption setting can be done at any time, we recommend using off-peak hours to avoid any unexpected access issues.