S3Express: Amazon S3 Command Line Utility

Amazon S3 command line utility for Windows. Copy, query, backup multiple files to S3 using the Windows command line.

S3Express FAQ and Knowledge Base

Main Page > Browse Categories > Security Considerations > How to make a backup to S3 more secure using encryption

How to make a backup to S3 more secure using encryption

File encryption can optionally be used to make a backup to S3 more secure.

S3Express already automatically encrypts files as they are in-transit from and to the Amazon S3 servers, however files can also be stored on the Amazon S3 servers encrypted (i.e. at rest).

S3Express provides two types of encryption: server-side encryption and client-side encryption.

Server-Side encryption
is about data encryption at rest, that is, Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. Amazon S3 manages encryption and decryption for you. For example, if you share your objects using a pre-signed URL, the pre-signed URL works the same way for both encrypted and unencrypted objects.

Amazon S3 Server Side Encryption employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 Server Side Encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

When you upload one or more objects with S3Express, you can explicitly specify in your request if you want Amazon S3 to save your object data encrypted. To specify that you want Amazon S3 to save your object data encrypted use the flag -e of the S3Express command PUT. Server-side encryption is optional. Your bucket might contain both encrypted and unencrypted objects.

With Client-Side encryption, you add an extra layer of security by encrypting data locally before uploading the files to Amazon S3. Client-side encryption and server-side encryption can be combined and used together. In S3Express, client-side encryption is provided by AesCrypt.exe, see the -le flag of the PUT command.

User Comments
Add Comment
There are no user comments for this topic.
Add Comment
No attachments

Did this help you?
Yes No

59% found this information useful

Other Options
Printable Version

Download S3Express

S3Express Manual

 A printable version of the entire FAQ and Knowledge Base is also available.
 For further queries, please contact us by e-mail at support@s3express.com