Files in the bucket before encryption is enabled are not encrypted. Once encryption (SSE-B2) is enabled (via API or web application) on a bucket, only files uploaded into (or copied into) that bucket from that point forward will be encrypted. Please note that the APIs allow you to enable encryption (SSE-B2 or SSE-C) at an individual file level. Either via API or web application, encryption may be enabled at the time a bucket is created or at a later date.
There are nominal charges for using the Class C API calls to enable / disable / read encryption on a bucket. No extra cost to encrypt your data, however, you are responsible for the normal charges associated with storing the encrypted file. As a result, if you lose the encryption key for a file encrypted with SSE-C, Backblaze will not be able to recover your key or decrypt the data.ĭoes SSE with Backblaze work the same way as it does with AWS?įrom a functionality standpoint, SSE-B2 and SSE-C with Backblaze B2 Cloud Storage work the same way as they do with AWS. Backblaze does not store the encryption key for SSE-C files instead, it stores a secure hash value that is used to validate future requests, but which can’t be used to derive the original encryption key or decrypt your file. If you use SSE-C to encrypt a file, then you must manage and protect your encryption keys yourself. After a file has been uploaded, the only time your data is decrypted is when you access the file (e.g., downloading or copying the file via API calls). With either SSE-B2 or SSE-C, Backblaze B2 Server-Side Encryption encrypts your file data at rest, but not the file metadata.
SSE-C encrypts each file using a unique encryption key each file’s encryption key is additionally encrypted with the AES-256 encryption key that you manage. SSE-B2 encrypts each file using a unique encryption key each file’s encryption key is additionally encrypted with a global key before being saved to decrypt the data when each file is accessed. The options are Server-Side Encryption with Backblaze-Managed Keys (SSE-B2) and Server-Side Encryption with Customer-Managed Keys (SSE-C). Both options use an extensively-tested and widely-trusted block cipher, 256-bit Advanced Encryption Standard (AES-256), to encrypt the data at rest. You have two options for encrypting data with Backblaze B2 Server-Side Encryption. Files that are encrypted using server-side encryption may be accessed using the same API calls as other B2 files (using either our B2 Native API or the S3 Compatible API). Server-side encryption protects your data by encrypting it before it is stored on disk by Backblaze B2 Cloud Storage.
0 kommentar(er)
