SSE-C in Amazon S3 is “Server-Side Encryption with Customer-Provided Keys,” where you generate and manage the encryption keys, but S3 performs the actual encryption/decryption on the server side using those keys for each request that stores or retrieves an object. The process is the following:
- You send the plaintext key in HTTPS headers with each PUT/GET request.
- S3 uses your key to encrypt the object with AES-256, stores only the encrypted data plus a salted HMAC of your key, and discards the plaintext key after the operation.
- On read, you must send again the same key. S3 calculates and verifies the HMAC of the key, and if it matches the one stored, it decrypts the object before returning it.
This pattern is specific to S3 in AWS terminology; other AWS services do not offer “SSE-C” by name, although the general idea of customer-managed encryption keys exists elsewhere via KMS (for example, using your own KMS keys in EBS, RDS, etc.).
A recommended alternative is using client-side encryption, where you encrypt your data before sending to the service.