Encrypt an Object

With the VMware Cloud Director Object Storage Extension S3 API, you can encrypt individual objects for security purposes.

A tenant administrator can force a server-side encryption at VMware Cloud Director organization level using the VMware Cloud Director Object Storage Extension user interface. Encrypting objects using the VMware Cloud Director Object Storage Extension API overrides the encryption configuration that is set using the VMware Cloud Director Object Storage Extension user interface.

This procedure demonstrates how to encrypt an object using SSE-C type of encryption.

This type of encryption requires you to manage your encryption algorithms and master keys. The objects are encrypted as VMware Cloud Director Object Storage Extension writes the data to disks in the data center and decrypts the data when you access it.

When you add an object, you provide the encryption key as part of the request. VMware Cloud Director Object Storage Extension uses the encryption key to apply AES-256 encryption to your data.

When you encrypt an object, you encrypt only the object data, not the object metadata.

When you want to retrieve your data, you provide the encryption key as part of your request. VMware Cloud Director Object Storage Extension verifies that the encryption key matches the key used for the object upload. If the keys match, VMware Cloud Director Object Storage Extension decrypts the object and returns the data to you.

Prerequisites

Verify that you have an SSE-C encryption key. For more information about the encryption key specifics, see https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html.
Verify that you calculated a base64-encoded 128-bit MD5 digest of the encryption key.

Procedure

Upload and encrypt an object using your own encryption key.

Add the following three headers to the VMware Cloud Director Object Storage Extension S3 API request:


Header	Description
`x-amz-server-side-encryption-customer-algorithm`	Specifies the encryption algorithm. For the SSE-C encryption type, enter `AES256`.
`x-amz-server-side-encryption-customer-key`	Specifies the encryption key. Use this header to provide the 256-bit, base64-encoded encryption key. This key is used to encrypt and decrypt your data.
`x-amz-server-side-encryption-customer-key-MD5`	Use this header to enter the base64-encoded 128-bit MD5 digest of the encryption key.

If you use path-style requests, use the following format for your request:

PUT https://cloud-object-storage.example.com:8443/api/v1/s3/bucket-name/object-name

If you use virtual hosted-style requests, use the following format for your request:

PUT https://bucket-name.s3.cloud-object-storage.example.com:8443/object-name

Upon a successful upload and encryption, the system returns a 200 OK message.

Access the encrypted object.
To access encrypted objects, you provide the encryption key and use the same headers that you used when uploading and encrypting the object.
You can access the object using one of the following methods:
- To retrieve an object, use the GET method.
- To verify if the object is available and accessible for the authenticated user, use the HEAD method.
- To copy and object, use the PUT method. See https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html.
If you do not provide the encryption key, the system returns a 401 Unauthorized message.