Is there any way to implement S3 client encryption keys using SSE-C ?
(Protecting Data Using Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C) - Amazon Simple Storage Service)
i have very large files to encrypt that do not make sense to encrypt locally. SSE-C provided added security
I’ll let somebody more knowledgeable answer about using SSE-C, but I did want to share some of my thoughts on it.
-
There are some Duplicati optimizations being considered which would potentially rely on the ETag of a request coming from amazon being the MD5 of the file - this potential feature would no longer work if using SSE-C due to “The ETag in the response is not the MD5 of the object data.”
-
Technically the size of the file being backed up doesn’t matter as Duplicati breaks files up into small chunks (blocks), lumps a bunch of those chunks together, compresses them, then encrypts the compressed file.
-
Even if SSE-C were being used, because of the process described in step 2 the only performance benefit on the Duplicati side would be skipping the encryption of the compress file step. If you want to simulate the type of performance gain you could get from that, try comparing the run times of two test backups of the same source data - one with an encryption key and one without.
There is no support for this, so you would have to add this to the Duplicati source code. Not too difficult to do:
The way that Duplicati stores data is by building “volumes”, which are a collection of data chuncks. It encrypts these volumes before uploading them, which ensures that the key never leaves your machine (unlike SSE-C) and only performs encryption of the compressed version of your data (smallest amount possible to encrypt).
In other words, you will not be repeatedly encrypting your files locally.