Enabling SSE-C
To use SSE-C, the configuration option
fs.s3a.server-side-encryption-algorithm
must be set to
SSE-C
, and a base-64 encoding of the key placed in
fs.s3a.server-side-encryption.key
.
<property> <name>fs.s3a.server-side-encryption-algorithm</name> <value>SSE-C</value> </property> <property> <name>fs.s3a.server-side-encryption.key</name> <value>RG8gbm90IGV2ZXIgbG9nIHRoaXMga2V5IG9yIG90aGVyd2lzZSBzaGFyZSBpdA==</value> </property>
This property can be set in a Hadoop JCEKS credential file, which is significantly more secure than embedding secrets in the XML configuration file.