|
| 1 | +--- |
| 2 | +meta: |
| 3 | + title: Using Secret Manager to store encryption key for SSE-C |
| 4 | + description: Learn how to use Secret Manager to store encryption key for Object Storage and SSE-C. |
| 5 | +content: |
| 6 | + h1: Using Secret Manager to store encryption key for SSE-C |
| 7 | + paragraph: Learn how to use Secret Manager to store encryption key for Object Storage and SSE-C. |
| 8 | +tags: object-storage secret-manager encryption |
| 9 | +categories: |
| 10 | + - object-storage |
| 11 | + - secret-manager |
| 12 | + - key-manager |
| 13 | +dates: |
| 14 | + validation: 2025-10-15 |
| 15 | + posted: 2025-10-15 |
| 16 | +--- |
| 17 | +import Requirements from '@macros/iam/requirements.mdx' |
| 18 | + |
| 19 | +In this tutorial you'll learn how to use the Secret manager to store the encryption key used with [SSE-C](/object-storage/api-cli/enable-sse-c/). |
| 20 | + |
| 21 | +<Requirements /> |
| 22 | + |
| 23 | +- A Scaleway account logged into the [console](https://console.scaleway.com) |
| 24 | +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization |
| 25 | +- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) |
| 26 | +- Installed and initialized the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/) |
| 27 | + |
| 28 | +The goal here, is to use the Key Manager to generate the encryption key, store the encryption key in the Secret Manager, then use it for Object Storage SSE-C. |
| 29 | + |
| 30 | +### Generating the encryption key |
| 31 | + |
| 32 | +With the following commands, you will create a key in the Key Manager, generate the encryption key and then store it in the Secret Manager. |
| 33 | + |
| 34 | +```bash |
| 35 | +KEY_ID=$(scw keymanager key create -o template="{{.ID}}") |
| 36 | +DATA_KEY=$(scw keymanager key generate-data-key "$KEY_ID" -o json | jq -r .plaintext | base64 -d) |
| 37 | +SECRET_ID=$(scw secret secret create name=ssec-key path=/keys -o template="{{.ID}}") |
| 38 | +scw secret version create "$SECRET_ID" data="$DATA_KEY" |
| 39 | +``` |
| 40 | + |
| 41 | +### Encryption key and digest preparation |
| 42 | + |
| 43 | +First you access the secret version to get the encryption key, then you need to encode it to base64 and calculate the digest of the key, also encoded in base64. |
| 44 | + |
| 45 | +```bash |
| 46 | +scw secret version access "$SECRET_ID" revision=latest raw=true > ssec.key |
| 47 | +ENCRYPTION_KEY=$(cat ssec.key | base64) |
| 48 | +KEY_DIGEST=$(openssl dgst -md5 -binary ssec.key | base64) |
| 49 | +``` |
| 50 | + |
| 51 | +<Message type="important"> |
| 52 | +If you delete the secret containing the encryption key, you also lose the data encrypted with it, as you will not be able to perform `GET` operations on encrypted objects without the corresponding key. |
| 53 | +</Message> |
| 54 | + |
| 55 | +### Upload and download object with SSE-C |
| 56 | + |
| 57 | +Run the command below to upload an object and encrypt it. Make sure to replace `<your-bucket-name>`, `<your-object-key>`, and `<path/to/your/file>` with the correct values. |
| 58 | + |
| 59 | +```bash |
| 60 | +aws s3api put-object \ |
| 61 | + --bucket <your-bucket-name> \ |
| 62 | + --key <your-object-key> \ |
| 63 | + --body <path/to/your/file> \ |
| 64 | + --sse-customer-algorithm AES256 \ |
| 65 | + --sse-customer-key $ENCRYPTION_KEY \ |
| 66 | + --sse-customer-key-md5 $KEY_DIGEST |
| 67 | +``` |
| 68 | + |
| 69 | +Run the command below to download the previously uploaded object and decrypt it. Make sure to replace `<your-bucket-name>`, `<your-object-key>`, and `<path/to/destination/file>` with the correct values. |
| 70 | + |
| 71 | +```bash |
| 72 | +aws s3api get-object \ |
| 73 | + --bucket <your-bucket-name> \ |
| 74 | + --key <your-object-key> \ |
| 75 | + <path/to/destination/file> \ |
| 76 | + --sse-customer-algorithm AES256 \ |
| 77 | + --sse-customer-key $ENCRYPTION_KEY \ |
| 78 | + --sse-customer-key-md5 $KEY_DIGEST |
| 79 | +``` |
0 commit comments