Server-Side Encryption with SSE-C in Cloud Object Storage

SimpleBackups founder

Islam Essam

Co-founder, SimpleBackups

November 28, 2023

Have you ever wondered what the Server-Side Encryption is and how to use it?

Simply put, it is a system for encrypting data, which is done at the destination by the application or service that receives it. The system works with cloud storage services such as Amazon S3, DigitalOcean Spaces, Wasabi or Linode Object Storage

In addition, there is also Server-Side Encryption with Customer-Provided Keys (SSE-C), which adds an extra layer of protection as the storage service never manages or stores the keys.

SimpleBackups SSE-C Example

Key Benefits of SSE-C

  1. Enhanced Security: Since encryption keys are not stored or managed by the cloud provider, the risk of key compromise is significantly reduced.
  2. Control and Compliance: Retain full control over your encryption keys, aiding in compliance with various data protection regulations.
  3. Flexibility: Use your key management processes and tools, integrating seamlessly with your existing security infrastructure.

Implementing SSE-C in Cloud Object Storage

Uploading Objects with SSE-C

Generate an Encryption Key: Create a secure, 256-bit symmetric key. You can use any cryptographic tool to generate this key.

import os

# Generate a 256-bit (32-byte) symmetric key
encryption_key = os.urandom(32)

Upload Object with SSE-C:

import boto3

s3_client = boto3.client('s3')

# Provide the encryption key and algorithm
extra_args = {
    'SSECustomerAlgorithm': 'AES256',
    'SSECustomerKey': encryption_key

# Upload the file
s3_client.upload_file('path/to/file', 'your-bucket', 'object-key', ExtraArgs=extra_args)

The process is similar for Amazon S3, DigitalOcean Spaces, Wasabi, and Linode. Ensure the respective SDK is used for the service.

Downloading Objects with SSE-C

Provide Encryption Key for Downloading:

# Provide the same encryption key used during upload
download_args = {
    'SSECustomerAlgorithm': 'AES256',
    'SSECustomerKey': encryption_key

# Download the file
s3_client.download_file('your-bucket', 'object-key', 'path/to/save', ExtraArgs=download_args)

The same method applies to Amazon S3, DigitalOcean Spaces, Wasabi and Linode Object Storage, ensuring you use their respective SDKs.

Best Practices and Considerations

  1. Key Management: Securely manage your encryption keys. Losing them means you cannot decrypt your data.
  2. Compliance and Security: Regularly audit and rotate your encryption keys in line with best security practices.
  3. Access Control: Implement strict access policies to safeguard your data in the cloud.


SSE-C offers a solution for those seeking enhanced security and complete control over their data in the cloud. By managing your encryption keys, you can be sure that your data is protected and, at the same time, allows you to use the flexibility of services like Amazon S3 or DigitalOcean.

Experience Effortless Encryption with SimpleBackups and SSE-C

At SimpleBackups, we understand the importance of data security and the complexities it can bring. That's why we've made it super easy to implement Server-Side Encryption with Customer-Provided Keys (SSE-C) when storing your files on the cloud.

Ready to safeguard your data with ease? Sign up for SimpleBackups today and experience the simplicity of secure backups!

Back to blog

Stop worrying about your backups.
Focus on building amazing things!

Free 7-day trial. No credit card required.

Have a question? Need help getting started?
Get in touch via chat or at [email protected]

Customer support with experts
Security & compliance
Service that you'll love using