How to use Minio's server-side-encryption with aws-cli Slack

Minio supports S3 server-side-encryption with customer provided keys (SSE-C).
A client must specify three HTTP headers for SSE-C requests:

Security notice:

Install Minio Server with TLS from here.

Notice that tools like aws-cli or mc will show an error if use a self-signed TLS certificate and try to upload objects to the server. Please take a look at Let's Encrypt to get a CA-signed TLS certificate. Self-signed certificates should only be used for development/testing or internal usage.

2. Use SSE-C with the aws-cli

Install the aws-cli like shown here.

Let's assume your running a local minio server on https://localhost:9000 with
a self-signed certificate. To skip the TLS certificate verification you need to
specify: --no-verify-ssl. If your minio server uses a CA-signed certificate you
should never specify --no-verify-ssl. Otherwise the aws-cli would accept
any certificate.

2.1 Upload an object.

  1. Create a bucket named my-bucket:
    aws --no-verify-ssl --endpoint-url https://localhost:9000 s3api create-bucket --bucket my-bucket
  2. Upload an object using SSE-C. The object name is my-secret-diary and the its content is the file ~/my-diary.txt. aws s3api put-object \ --no-verify-ssl \ --endpoint-url https://localhost:9000 \ --bucket my-bucket --key my-secret-diary \ --sse-customer-algorithm AES256 \ --sse-customer-key MzJieXRlc2xvbmdzZWNyZXRrZXltdXN0cHJvdmlkZWQ= \ --sse-customer-key-md5 7PpPLAK26ONlVUGOWlusfg== \ --body ~/my-diary.txt You should use your own encryption key.

2.2 Show object information

You must specify the correct SSE-C key of an encrypted object to show its metadata:

  aws s3api head-object \
  --no-verify-ssl \
  --endpoint-url https://localhost:9000 \
  --bucket my-bucket \
  --key my-secret-diary \
  --sse-customer-algorithm AES256 \
  --sse-customer-key MzJieXRlc2xvbmdzZWNyZXRrZXltdXN0cHJvdmlkZWQ= \
  --sse-customer-key-md5 7PpPLAK26ONlVUGOWlusfg==

2.3 Download an object

  1. Now delete your local copy of my-diary.txt:

    rm ~/my-diary.txt

  2. You can restore the diary by downloading it from the server:

    aws s3api get-object \
    --no-verify-ssl \
    --endpoint-url https://localhost:9000 \
    --bucket my-bucket \
    --key my-secret-diary \
    --sse-customer-algorithm AES256 \
    --sse-customer-key MzJieXRlc2xvbmdzZWNyZXRrZXltdXN0cHJvdmlkZWQ= \
    --sse-customer-key-md5 7PpPLAK26ONlVUGOWlusfg== \
    ~/my-diary.txt