This diagram shows the two-step encryption process when using SSE-C:
Let's understand the process:
- The client uploads the object(s) to S3, along with the customer-provided key, across a Hypertext Transfer Protocol Secure (HTTPS) connection. If SSE-C is being used and HTTPS is not used during the uploads, then it will fail and reject the communication. The channel needs to be encrypted as the key is being sent with the object.
- S3 will then take the customer-provided key and the object and perform the encryption of the object. In addition to this, S3 will generate a salted HMAC value of the customer key to enable the validation of future access requests. This HMAC value and the encrypted object are then stored in S3 with an association to each other. Again, the plaintext customer-provided key is then removed from memory.
This diagram shows the four-step decryption process when using SSE-C:
Let's understand...