Amazon S3 Server Side Encryption

I have a bucket policy that Denies UnEncrypted Object Uploads with this requirement:
“s3:x-amz-server-side-encryption”: “AES256”

I can’t find any Duplicati advanced Amazon S3 options that can enforce this policy.

Am I missing something?

Thank you.

Server side encrypting encrypted files seems superflucious.

Why not disable the policy?

I expected this answer.
But let me rephrase my question.
Does Duplicati support Amazon S3 server side encryption?
Why do I need to use a client side encryption when Amazon offers a great server side encryption feature?

I don’t think it does, there would be an option for it under S3.

From a philosophical point It goes completely against the trust-no-one model that Duplicati is built on. If you let your backend encrypt the data you have no way of actually knowing it’s secure. You don’t control the encryption keys or the process used.

From a practical point it’s exactly the same encryption so it seems kinda pointless anyway :man_shrugging:

Looking briefly through Duplicati source, I don’t see the needed header string, so I too suspect that Duplicati can’t satisfy that bucket policy (which is completely unaware that the data is already encrypted…). Generally, encryption at the client with a key only known at the client side is considered more secure than a server side encryption plan because as long as the server side has the encryption keys, decryption is possible for many reasons, such as attackers, sharing (intended or not), customer support, troubleshooting by employees, etc. You really must look at exactly how a hosting company does encryption and decryption to know how it works.

Encryption at Rest in Google Cloud Platform is Google’s plan showing how complicated the situation can get, however even that doesn’t get into situations like where storage is shared intentionally, e.g. by configuration. Sorry I don’t have similar Amazon info. I happen to have looked into Google before going to a provider which makes their server side encryption use clear – they don’t. Client is best unless you fear forgetting the secret.

Step 1: Choose a security option shows how CrashPlan backup offers the user a choice. The easy path is to require only the account login, which can sometimes be weak, especially if other sites got similar credentials. From there, options become more secure but get other drawbacks. It’s a tradeoff of ease against security…

For any semi-decent encryption, the question isn’t encryption strength, but other ways to get decrypted data. My two cents, but I’m certain the Web (and perhaps this forum) has an opinion on such encryption questions.

Basically expanding on what @Pectojin said while possibly disagreeing that “same encryption” is relevant…

EDIT: A better look at Duplicati code found the same tentative conclusion. Duplicati actually seems to use the AWS SDK for .NET, so per this I should be looking for signs of ServerSideEncryptionMethod. I’m not seeing it.