In contrast to JetS3t, the new SDK provides support for SSE-KMS encryption from the AWS side instead of AES256 encryption used in JetS3t. SSE-256 (Server-Side Encryption with AWS Key Management Service) and SSE-KMS (Server-Side Encryption with AWS Key Management Service) are both encryption options offered by Amazon Web Services (AWS) to secure data at rest in AWS services.
SSE-256 utilizes the AES-256 encryption algorithm to encrypt data at rest, and AWS manages this encryption. On the other hand, SSE-KMS also uses AES-256 encryption but gives you more control over the encryption keys. It leverages AWS Key Management Service (KMS) to manage the encryption keys.
In the context of server-side encryption in AWS, AWS takes responsibility for encrypting the data during upload and decrypting it during download. AWS also maintains metadata on the object to determine the encryption method used. As a result, Artifactory remains independent of the specific encryption method employed since the encryption and decryption processes occur on the AWS S3 side of the transaction.
It's worth noting the significance of the <server-side-encryption-aws-kms> configuration flag. When this flag is set to true, a metadata field is added to the uploaded object, instructing S3 to encrypt it using the default AWS-managed KMS key for S3. Alternatively, you can specify the encryption key ID or alias instead of using "true".
Even though this configuration requires SSE-KMS encryption, you can still upload and download objects using this configuration with the SSE-KMS encryption scheme and retrieve objects that were encrypted using SSE-S3 (AES256).
To illustrate, if you enable KMS encryption for your bucket, you can use the following definition within the bucket:
If you are uncertain about the encryption method you have employed, you can execute the following command:
The anticipated output for KMS encryption will be:
When KMS encryption is utilized, the MD5 checksum in Artifactory side will be encrypted on the AWS side, resulting in a different Etag on the bucket side.
If you do not use this encryption, the MD5 checksum will be identical to the Etag. Please note that Artifactory remains unaffected by these changes, and the transition from AES256 to KMS encryption is seamless. Enabling the KMS flag on the Artifactory side without configuring the KMS on the bucket side will not have any impact either.
SSE-256 utilizes the AES-256 encryption algorithm to encrypt data at rest, and AWS manages this encryption. On the other hand, SSE-KMS also uses AES-256 encryption but gives you more control over the encryption keys. It leverages AWS Key Management Service (KMS) to manage the encryption keys.
In the context of server-side encryption in AWS, AWS takes responsibility for encrypting the data during upload and decrypting it during download. AWS also maintains metadata on the object to determine the encryption method used. As a result, Artifactory remains independent of the specific encryption method employed since the encryption and decryption processes occur on the AWS S3 side of the transaction.
It's worth noting the significance of the <server-side-encryption-aws-kms> configuration flag. When this flag is set to true, a metadata field is added to the uploaded object, instructing S3 to encrypt it using the default AWS-managed KMS key for S3. Alternatively, you can specify the encryption key ID or alias instead of using "true".
Even though this configuration requires SSE-KMS encryption, you can still upload and download objects using this configuration with the SSE-KMS encryption scheme and retrieve objects that were encrypted using SSE-S3 (AES256).
To illustrate, if you enable KMS encryption for your bucket, you can use the following definition within the bucket:
If you are uncertain about the encryption method you have employed, you can execute the following command:
aws s3api get-bucket-encryption --bucket <bucket name>
The anticipated output for KMS encryption will be:
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:XXXXXX"
},
"BucketKeyEnabled": true
}
]
}
}
(END) When KMS encryption is utilized, the MD5 checksum in Artifactory side will be encrypted on the AWS side, resulting in a different Etag on the bucket side.
If you do not use this encryption, the MD5 checksum will be identical to the Etag. Please note that Artifactory remains unaffected by these changes, and the transition from AES256 to KMS encryption is seamless. Enabling the KMS flag on the Artifactory side without configuring the KMS on the bucket side will not have any impact either.