aead

Server-Side-Encryption

AWS S3 offers three different types of server-side encryption (SSE):

• Server-Side-Encryption (at rest) a.k.a SSE-S3
• Server-Side-Encryption using a KMS a.k.a SSE-KMS
• Server-Side-Encryption with customer keys a.k.a SSE-C

1. Server-Side-Encryption (SSE-S3)

aead

mc SSE interface

SSE-S3

SSE-S3 requires just setting the header X-Amz-Server-Side-Encryption: AES256. So mc can implement SSE-S3 by just providing a CLI flag: --sse-s3: mc cp your-file S3/bucket/object --sse-s3

SSE-C

SSE-C requires three headers:

aead

Client

The S3 client can specify two headers for SSE-KMS:

• X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id: arn:aws:kms:region:111122223333:key/<32-char keyId>
• X-Amz-Server-Side-Encryption-Context:

AWS doc	Confirmed
key ID is 32 byte string	[x]
The encryption context is not stored on S3	[ ]

aead

diff --git a/argon2/argon2.go b/argon2/argon2.go
index b423fea..4ce5cac 100644
--- a/argon2/argon2.go
+++ b/argon2/argon2.go
@@ -99,6 +99,37 @@ func IDKey(password, salt []byte, time, memory uint32, threads uint8, keyLen uin
 	return deriveKey(argon2id, password, salt, nil, nil, time, memory, threads, keyLen)
 }
 
+func New(time, memory uint32, threads uint8) func([]byte, []byte, uint32) []byte {
+	if time < 1 {

aead

diff --git a/argon2/argon2.go b/argon2/argon2.go
index b423fea..9535653 100644
--- a/argon2/argon2.go
+++ b/argon2/argon2.go
@@ -99,6 +99,37 @@ func IDKey(password, salt []byte, time, memory uint32, threads uint8, keyLen uin
 	return deriveKey(argon2id, password, salt, nil, nil, time, memory, threads, keyLen)
 }
 
+func New(time, memory uint32, threads uint8) func([]byte, []byte, uint32) []byte {
+	if time < 1 {

aead

1. Download MinIO KMS binary

curl -sSL -o ./minkms https://dl.min.io/enterprise/minkms/release/linux-amd64/minkms

Make the MinKMS binary executable:

chmod +x ./minkms