Enabling Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

If you are using Amazon S3 buckets with Server Side Encryption (SSE) disabled at the bucket policy level, you can optionally instruct Commvault software to write SSE-S3 or SSE-KMS encrypted objects.

Note

Reading encrypted data is transparent to Commvault software, as long as the required access to KMS key is granted.

Procedure

  • Apply the following additional settings to your MediaAgents and/or Access Nodes performing read/write activities to your Amazon S3 encrypted cloud storage.

    For instructions about adding an additional setting from the CommCell Console, see Adding an Additional Setting from the CommCell Console.

Additional Setting

Category

Type

Value

nCloudS3ServerSideEncryption

MediaAgent

Integer

Enter one of the following values:

  • 0: Do not use Server-Side Encryption (default)

  • 1: Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

  • 2: Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS).

    Use MediaAgent/sCloudS3ServerSideEncryptionKMSKeyID to set the KMS key.

sCloudS3ServerSideEncryptionKMSKeyID

MediaAgent

String

Use this key to set the KMS key ID, when the value of nCloudS3ServerSideEncryption is set to 2.

Create the key from AWS console and get the KMS key ID.

If this key is not set, the default AWS KMS key will be used.

Loading...