SSE-S3 requires just setting the header X-Amz-Server-Side-Encryption: AES256.
So mc can implement SSE-S3 by just providing a CLI flag: --sse-s3: mc cp your-file S3/bucket/object --sse-s3
SSE-C requires three headers:
X-Amz-Server-Side-Encryption-Customer-Algorithm: AES256. (This is basically a constant header)X-Amz-Server-Side-Encryption-Customer-Key: <32-byte-key>(This header must be specifed by the user)X-Amz-Server-Side-Encryption-Customer-Key-Md5: <MD5(key)>(This header depends only on the key and needn't specified by the user)
So mc can implement SSE-C by just providing a CLI flag+argument: --sse-c <32-byte-key-as-hex>:
mc cp your-file S3/bucket/object --sse-c 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
This is useful if mc should access an object uploaded by an SDK and only the SSE-C key is known and not derrived from a password.
SSE-C requires only: X-Amz-Server-Side-Encryption: aws:kms
Additionally the user can specify a certain customer master key (by referencing it with an ID):
X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id: <key-id> where must follow the scheme:
arn:aws:kms:region:acct-id:key/key-id
Additionally a user can specify a KMS-encryption context: X-Amz-Server-Side-Encryption-Context:<context>
The context is a set of key-value pairs. However it's questionable whether mc should support context.
(Add CLI complexity with little benefit)
mc cp your-file S3/bucket/object --sse-kmsmc cp your-file S3/bucket/object --sse-kms arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
To be more convinient for CLI usage mc``should also support SSE-C with passwords. mc` will derive a key per object from the user-password in a deterministic way.
mc cp your-file S3/bucket/object --encrypt <password>
The SSE-C key is defined as: key = PBKDF(password, bucket-name + object-name) where PBKDF = Argon2-id_1_64MB_2.