Server Side encryption vs Client Side encryption - Amazon S3
Question
I want to store a lot of files in Amazon S3 for my application. I have an option to use server-side encryption or client-side encryption or both.
By Server-side encryption, I mean using the Amazon S3 encryption feature to encrypt files. And by Client-side encryption, I mean that I will encrypt files in my application and then store that in S3.
Which one is preferred as both method has different advantages like Server-side encryption will be good in processing as Amazon has used full optimization but in client-side encryption, I am not dependent on Amazon in future I can easily transfer my file to other file system and my encryption would be intact. Also If someone gets access to my Amazon S3 UI they can easily download decrypted files in the server-side encryption method. Also, Amazon S3 encryption comes with a cost.
Please help me in deciding this.
3 answers
solution1
4 2020-09-16 11:53:57
If you use server-side encryption then your data is protected by policies only . If you accidentally give access to someone (or someone steals your AWS access keys) then it does not matter if it is stored encrypted or not.
With client-side encryption you manage the key and without it nobody can access the contents of the files. If you mess up the policies, the keys protect your data.
solution2
2 2020-09-16 02:09:21
Server-Side encryption is the easiest.
It ensures "encryption at rest", but S3 manages it all for you. When an object is accessed by somebody with the appropriate permissions, S3 automatically decrypts the object and provides the contents. (Requests are also made via HTTPS, so the object contents will be encrypted in transit.)
There are a number of options for server-side encryption:
- Default AES-256
- Using a specific KMS key
- Using a customer-provided KMS key
When using KMS for encryption, the identity accessing the object also requires permission to use the KMS key. So, this is an additional layer of security that you might want to use.
If you are worried about somebody inappropriately accessing your account, you should consider using Multi-Factor Authentication to prevent unauthorized access.
solution3
0 2022-01-03 15:20:54
Firstly, this is a requirement which needs to be answered by the business. Depending on the sensitivity of the data which is under discussion, there could be regulatory norms expecting client side encryption. Please discuss with the business users.
If there is no such requirements based on data, then you can opt for server side encryption. It is simple and managing work is done by aws.
On top of it, if you still want extra security, go for client side encryption.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.