Enabling SSE-KMS
To enable SSE-KMS, the property
fs.s3a.server-side-encryption-algorithm
must be set to SSE-KMS in
core-site.xml
.
<property>
<name>fs.s3a.server-side-encryption-algorithm</name>
<value>SSE-KMS</value>
</property>
The ID of the specific key used to encrypt the data should also be set in the property
fs.s3a.server-side-encryption.key
:
<property>
<name>fs.s3a.server-side-encryption.key</name>
<value>arn:aws:kms:us-west-2:360379543683:key/071a86ff-8881-4ba0-9230-95af6d01ca01</value>
</property>
If your account is set up with a default KMS key and
fs.s3a.server-side-encryption.key
is unset, the default key will be
used.
Alternatively, organizations may define a default key in the Amazon KMS; if a default key is
set, then it will be used whenever SSE-KMS encryption is chosen and the value of
fs.s3a.server-side-encryption.key is empty.
To learn more, refer to Protecting Data Using Server-Side Encryption with AWS KMS-Managed Keys
(SSE-KMS) in the AWS documentation.