Enabling CSE-KMS

To enable CSE-KMS, the property fs.s3a.server-side-encryption-algorithm must be set to CSE-KMS in core-site.xml.

  • Generate an AWS KMS Key ID from the AWS console for your bucket, with the same region as the storage bucket.
  • If already created, view the KMS key ID following these steps.
  • Set fs.s3a.server-side-encryption-algorithm=CSE-KMS.
  • Set fs.s3a.server-side-encryption.key=<KMS_KEY_ID>.