How To Set Up Server Side Encryption For AWS KMS

This document is for ObjectiveFS release 7.0 and newer. For older releases, please see this guide.

ObjectiveFS provides client-side encryption, which encrypts the data on your server before it is sent to the object store. The data stays encrypted in transit and at rest. The client-side encryption is always enabled.

For enterprise users, ObjectiveFS also supports server-side encryption on AWS using Amazon S3-managed encryption keys (SSE-S3) and AWS KMS-managed encryption keys (SSE-KMS). This guide describes how to set up ObjectiveFS to run with AMS KMS.

What You Need

• ObjectiveFS installed
• Your AWS KMS key (not needed if using AWS-KMS with default S3 key)
• Set up your objectivefs environment directory (e.g. /etc/objectivefs.env) (see config step)

Steps

1. In /etc/objectivefs.env, create a file named AWS_SERVER_SIDE_ENCRYPTION with content as:

   • aws:kms (if using the default KMS key)

     # echo "aws:kms" > /etc/objectivefs.env/AWS_SERVER_SIDE_ENCRYPTION

   • <your kms key> (if using a specific KMS key, e.g. arn:aws:kms:12345/6789)

     # echo "arn:aws:kms:12345/6789" > /etc/objectivefs.env/AWS_SERVER_SIDE_ENCRYPTION

2. Create a filesystem (one-time only) and mount the filesystem as usual

    # sudo mount.objectivefs create mybucket
    # sudo mount.objectivefs mybucket /ofs

Reference

• Server Side Encryption section in User Guide

If you have questions, please email us at support@objectivefs.com.

Last updated by ObjectiveFS staff, October 3, 2022

ObjectiveFS is a shared filesystem for Linux and macOS that automatically scales up and out with high performance. In production use by Fortune 500 companies since 2013.