Common SSE-C headers

Common headers are available for buckets using Server Side Encryption with Customer-Provided Keys (SSE-C) enabled.

Any request using SSE-C headers must be sent using SSL. Note that ETag values in response headers are not the MD5 hash of the object, but a randomly generated 32-byte hexadecimal string. Each version of an object can have a unique customer key. For more information on how to enable SSE-C, see the Manager Administration Guide.

Header Type Description
x-amz-server-side-encryption-customer-algorithm string This header is used to specify the algorithm and key size to use with the encryption key stored in x-amz-server-side-encryption-customer-key header. This value must be set to the string AES256.
x-amz-server-side-encryption-customer-key string This header is used to transport the base 64 encoded byte string representation of the AES 256 key used in the server side encryption process.
x-amz-server-side-encryption-customer-key-MD5 string This header is used to transport the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. The object store will use this value to validate the key passes in the x-amz-server-side-encryption-customer-key has not been corrupted during transport and encoding process. The digest must be calculated on the key BEFORE the key is base 64 encoded.