Enable Server Side Encryption

Server-Side Encryption (SSE) protects objects as part of write operations, allowing clients to take advantage of server processing power to secure objects at the storage layer (encryption-at-rest). SSE also provides key functionality for regulatory and compliance requirements around secure locking and erasure.

AIStor includes support for deploying AIStor Key Manager as a dedicated root Key Management Service (KMS) with direct integration. Key Manager provides equivalent functionality to other third-party KMS solutions for managing root/external encryption keys in support of encryption operations.

You can also use a supported external key manager with MinIO’s Key Encryption Service.

AIStor requires access to the encryption key and external Key Management System (KMS) as part of SSE operations to decrypt an object. You can securely erase and lock objects by disabling access to the encryption key or KMS used for encryption.

General strategies include, but are not limited to:

• Seal the encryption key such that it cannot be accessed by AIStor anymore. This locks all SSE-KMS or SSE-S3 encrypted objects protected by any encryption key stored in the KMS. The encrypted objects remain unreadable as long as the KMS remains sealed.

• Seal/Unmount an encryption key. This locks all SSE-KMS or SSE-S3 encrypted objects protected by the key. The encrypted objects remain unreadable as long the key remains sealed.

• Delete an encryption key. This renders all SSE-KMS or SSE-S3 encrypted objects protected by the key as permanently unreadable. The combination of deleting a key and deleting the data may fulfill regulatory requirements around secure deletion of data.

  Deleting a key is typically irreversible. Exercise extreme caution before intentionally deleting a master key.

AIStor SSE is feature and API compatible with AWS Server-Side Encryption and supports the following encryption strategies: