MIUNA
Dev Java & Cloud
#aws #s3 #security #encryption #cloud

SSE-C on S3 is dying (and the security theater)

Miuna

got an email from aws that almost gave me a heart attack...

basically the warning said: [Action may be Required] Amazon S3 to automatically disable SSE-C encryption for new buckets.

AWS warning email about SSE-C

my first reaction was "great, they wanna steal my keys and force KMS usage so they have access to everything".

i always used SSE-C (server-side encryption with customer-provided keys) bc i care about security. i thought "i keep the key, i send the file, aws just stores it".

but after analyzing deeply, i realized i was living a security illusion. (¬_¬)

the security theater

the truth is SSE-C is kinda "theater" for ppl who dont trust the cloud.

think about it: for aws to encrypt ur file using ur key... u have to send the key to them at upload time (via HTTPS).

THE REAL PROBLEM

so yeah, the key enters their server, goes to RAM, they use it to scramble the data and then "promise" to delete it from memory.

if u dont trust amazon, u shouldnt trust them even for that millisecond the key is in their hands.

digital trash

plus theres the operational risk: if u lose the key, its over. aws has no backup. the file becomes digital trash. (╥﹏╥)

they must get so many support tickets from ppl crying about lost keys, so they decided to disable this by default starting april 2026 (u can still use it but u gotta activate via API, which is annoying).

the real fix: client-side encryption

if ur paranoid like me, the solution isnt giving the key to aws to play with. its never letting the key leave ur pc. its called client-side encryption.

  1. u encrypt the file on ur pc (using gpg, openssl, or ur language sdk).
  2. the file becomes unreadable alphabet soup.
  3. u upload that soup to s3.
THE DIFFERENCE

for aws, thats just a pile of random bytes. they never saw the key, never saw the content.

how to do this without a headache? (rclone crypt)

remember my post about rclone + backblaze? well, rclone has a native feature called crypt.

instead of sending the raw file, u configure an encrypted "remote" that points to s3. super secure!

CORPORATE NOTE

ps: for corporate use, KMS (key management service) is better, bc the key stays in an HSM (hardened hardware) that not even aws employees can extract. so its all good!