# Server-Side Encryption

* Server-side encryption is the **encryption of data at its destination by the application or service that receives it**.<br>
* **S3 encrypts your data at the object level as it writes it to disks in its data centres and decrypts it for you when you access it**.<br>
* As long as you authenticate your request and you have access permissions, there is **no difference in the way you access encrypted or unencrypted objects**.<br>
* You **can't apply different types of server-side encryption to the same object simultaneously**.

## Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) <a href="#usingserversideencryption" id="usingserversideencryption"></a>

* **Each object is encrypted with a unique key**.
  * It also **encrypts the key itself with a master key that it regularly rotates**.<br>
* It **uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data**.<br>
* **If you need server-side encryption for all of the objects that are stored in a bucket, use a bucket policy**.<br>
* **Must set the following header:**
  * `s3:x-amz-server-side-encryption": "AES256`

## Server-side encryption using AWS KMS CMKs (SSE-KMS) <a href="#usingkmsencryption" id="usingkmsencryption"></a>

* **Similar to SSE-S3**, but with some **additional benefits and charges for using this service**.<br>
* Amazon **S3 uses AWS KMS customer master keys (CMKs) to encrypt your Amazon S3 objects**.<br>
* SSE-KMS **provides you with an audit trail that shows when your CMK was used and by whom**.<br>
* You **create and manage customer managed CMKs or use AWS managed CMKs** that are unique to you, your service, and your Region.<br>
* AWS **KMS is a service that combines secure, highly available hardware and software to provide a key management system** scaled for the cloud.<br>
* AWS **KMS encrypts only the object data**.
  * Any **object metadata is not encrypted**.<br>
* When you use SSE-KMS encryption with an S3 bucket, the **AWS KMS CMK must be in the same Region as the bucket**.<br>
* **Must set the following header:**
  * `s3:x-amz-server-side-encryption":"aws:kms`

## Server-Side Encryption with Customer-Provided Keys (SSE-C)

* **You manage the encryption keys and S3 manages the encryption**, as it writes to disks, and decryption, when you access your objects.<br>

* **Server-side encryption encrypts only the object data**.

  * **Not object metadata**.

* Using SSE-C **allows you to set your own encryption keys**.<br>

* With the encryption key you provide as part of your request, **S3 manages the encryption as it writes to disks and decryption when you access your objects**.<br>

* Therefore, **you don't need to maintain any code to perform data encryption and decryption**.<br>

* The **only thing you do is manage the encryption keys you provide**.<br>

* You **must use HTTPS**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://karansingh.gitbook.io/aws-saa-c02/simple-storage-service-s3/server-side-encryption.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.