Server-Side Encryption OverviewΒΆ

Server-side encryption is the encryption of data at its destination by the application or service that receives it.

Tebi encrypts your data at the object level as it writes it to disks, and decrypts the data for you when you access it. As long as you authenticate your request and have access permissions, there is no difference in the way you access encrypted or unencrypted objects.

For example, if you share your objects using a presigned URL, that URL works the same way for both encrypted and unencrypted objects. Additionally, when you list objects in your bucket, the list API returns a list of all objects, regardless of whether they are encrypted.

You have two mutually exclusive options, depending on how you choose to manage the encryption keys.

Server-Side Encryption with Tebi-Managed Keys (SSE-S3)

When you use server-side encryption with Tebi-Managed Keys (SSE-S3), each object is encrypted with a unique key. Tebi server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

Server-Side Encryption with Customer-Provided Keys (SSE-C)

With server-side encryption with Customer-Provided Keys (SSE-C), you manage the encryption keys. Tebi manages the encryption as it writes to disks, and decryption when you access your objects. Tebi does not store keys provided by the customer, and your data cannot be decrypted if you lose your keys.