How to use Minio's Server-side Encryption with the AWS CLI

Minio supports S3 server-side-encryption with customer provided keys (SSE-C). The following sections describe the use of server-side encryption with the AWS Command Line Interface (aws-cli):

1. Prerequisites

A client must specify three HTTP headers for SSE-C requests:

Install the Minio Server with TLS as described here.

Note: Tools like aws-cli or mc will display an error if a self-signed TLS certificate is used when trying to upload objects to the server. See Let's Encrypt to get a CA-signed TLS certificate. Self-signed certificates should only be used for development, testing or internal usage.

2. Use SSE-C with aws-cli

This section describes how to use server-side encryption with customer-provided encryption (SSE-C) keys via the aws-cli.

2.1 Install the aws-cli

You can install the AWS Command Line Interface using the procedure described here.

2.2 Create a bucket named my-bucket

aws --no-verify-ssl --endpoint-url https://localhost:9000 s3api create-bucket --bucket my-bucket

2.3 Upload an Object using SSE-C

The following example shows how to upload an object named my-secret-diary where the content is the file ~/my-diary.txt. Note that you should use your own encryption key.

aws s3api put-object \
  --no-verify-ssl \
  --endpoint-url https://localhost:9000 \
  --bucket my-bucket --key my-secret-diary \
  --sse-customer-algorithm AES256 \
  --sse-customer-key MzJieXRlc2xvbmdzZWNyZXRrZXltdXN0cHJvdmlkZWQ= \
  --sse-customer-key-md5 7PpPLAK26ONlVUGOWlusfg== \
  --body ~/my-diary.txt 

In this example, a local Minio server is running on https://localhost:9000 with a self-signed certificate. TLS certificate verification is skipped using: --no-verify-ssl. If a Minio server uses a CA-signed certificate, then --no-verify-ssl should not be included, otherwise aws-cli would accept any certificate.

2.4 Display Object Information

Specify the correct SSE-C key of an encrypted object to display its metadata:

aws s3api head-object \
  --no-verify-ssl \
  --endpoint-url https://localhost:9000 \
  --bucket my-bucket \
  --key my-secret-diary \
  --sse-customer-algorithm AES256 \
  --sse-customer-key MzJieXRlc2xvbmdzZWNyZXRrZXltdXN0cHJvdmlkZWQ= \
  --sse-customer-key-md5 7PpPLAK26ONlVUGOWlusfg==

2.5 Download an Object

The following examples show how a local copy of a file can be removed and then restored by downloading it from the server:

Delete your local copy of my-diary.txt:

rm ~/my-diary.txt

Restore the file by downloading it from the server:

aws s3api get-object \
--no-verify-ssl \
--endpoint-url https://localhost:9000 \
--bucket my-bucket \
--key my-secret-diary \
--sse-customer-algorithm AES256 \
--sse-customer-key MzJieXRlc2xvbmdzZWNyZXRrZXltdXN0cHJvdmlkZWQ= \
--sse-customer-key-md5 7PpPLAK26ONlVUGOWlusfg== \
~/my-diary.txt

3. Security-Related Notes