Skip to content

Instantly share code, notes, and snippets.

Andreas Auernhammer aead

Block or report user

Report or block aead

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile


The S3 client can specify two headers for SSE-KMS:

  • X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id: arn:aws:kms:region:111122223333:key/<32-char keyId>
  • X-Amz-Server-Side-Encryption-Context:
AWS doc Confirmed
key ID is 32 byte string [x]
The encryption context is not stored on S3 [ ]

mc SSE interface


SSE-S3 requires just setting the header X-Amz-Server-Side-Encryption: AES256. So mc can implement SSE-S3 by just providing a CLI flag: --sse-s3: mc cp your-file S3/bucket/object --sse-s3


SSE-C requires three headers:

aead /
Last active Mar 16, 2018
AWS S3 server side encryption


AWS S3 offers three different types of server-side encryption (SSE):

  • Server-Side-Encryption (at rest) a.k.a SSE-S3
  • Server-Side-Encryption using a KMS a.k.a SSE-KMS
  • Server-Side-Encryption with customer keys a.k.a SSE-C

1. Server-Side-Encryption (SSE-S3)

You can’t perform that action at this time.