Enabling SSE-KMS

To enable SSE-KMS, the property fs.s3a.server-side-encryption-algorithm must be set to SSE-KMS in core-site.xml.


The ID of the specific key used to encrypt the data should also be set in the property fs.s3a.server-side-encryption.key:


If your account is set up set up with a default KMS key and fs.s3a.server-side-encryption.key is unset, the default key will be used.

Alternatively, organizations may define a default key in the Amazon KMS; if a default key is set, then it will be used whenever SSE-KMS encryption is chosen and the value of fs.s3a.server-side-encryption.key is empty.
To learn more, refer to Protecting Data Using Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) in the AWS documentation.