Enabling SSE-KMS
To enable SSE-KMS, the property fs.s3a.server-side-encryption-algorithm
must be set to SSE-KMS
in core-site.xml
:
<property> <name>fs.s3a.server-side-encryption-algorithm</name> <value>SSE-KMS</value> </property>
The ID of the specific key used to encrypt the data should also be set in the
property fs.s3a.server-side-encryption.key
:
<property> <name>fs.s3a.server-side-encryption.key</name> <value>arn:aws:kms:us-west-2:360379543683:key/071a86ff-8881-4ba0-9230-95af6d01ca01</value> </property>
If your account is set up set up with a default KMS key and
fs.s3a.server-side-encryption.key
is unset, the default key will be
used.
Alternatively, organizations may define a default key in the Amazon KMS; if a
default key is set, then it will be used whenever SSE-KMS encryption is chosen and the
value of fs.s3a.server-side-encryption.key
is empty.
Note | |
---|---|
AWS Key Management Service (KMS) is pay-per-use, working with data encrypted via KMS keys incurs extra charges during data I/O. |
To learn more, refer to Protecting Data Using Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) in the AWS documentation.