Enabling CSE-KMS

To enable CSE-KMS, the property fs.s3a.server-side-encryption-algorithm must be set to CSE-KMS in core-site.xml.

  • Generate an AWS KMS Key ID from the AWS console for your bucket, with the same region as the storage bucket.
  • If already created, view the KMS key ID following these steps.
  • Set fs.s3a.server-side-encryption-algorithm=CSE-KMS.
  • Set fs.s3a.server-side-encryption.key=<KMS_KEY_ID>.

<property>
     <name>fs.s3a.server-side-encryption-algorithm</name>
     <value>CSE-KMS</value>
 </property>

 <property>
     <name>fs.s3a.server-side-encryption.key</name>
     <value>${KMS_KEY_ID}</value>
 </property>