From 10790635a3474cd98a415a00446282919c1f1e49 Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Tue, 2 Jun 2026 17:56:09 +0200 Subject: [PATCH 01/14] feat(object-storage): add SSE-KMS MTA-7193 --- pages/key-manager/faq.mdx | 2 + .../object-storage/how-to/create-a-bucket.mdx | 4 +- .../object-storage/how-to/enable-sse-kms.mdx | 87 +++++++++++++++++++ .../object-storage/how-to/enable-sse-one.mdx | 19 +++- pages/object-storage/menu.ts | 4 + 5 files changed, 110 insertions(+), 6 deletions(-) create mode 100644 pages/object-storage/how-to/enable-sse-kms.mdx diff --git a/pages/key-manager/faq.mdx b/pages/key-manager/faq.mdx index dbbb3fe750..cb9086c89c 100644 --- a/pages/key-manager/faq.mdx +++ b/pages/key-manager/faq.mdx @@ -18,6 +18,8 @@ Key Manager helps organizations achieve secure key management by handling low-le Scaleway Key Manager allows you to create, manage, and use cryptographic keys in a centralized and secure service. All your cryptographic operations can be delegated to Key Manager, which in turn ensures the security and availability of your keys. +Key Manager is compatible with Object Storage to store and manage bucket encryption keys. + ## Offering and availability ### Which cryptographic operations does Key Manager support? diff --git a/pages/object-storage/how-to/create-a-bucket.mdx b/pages/object-storage/how-to/create-a-bucket.mdx index 3d3f33c256..fa150b2b62 100644 --- a/pages/object-storage/how-to/create-a-bucket.mdx +++ b/pages/object-storage/how-to/create-a-bucket.mdx @@ -3,7 +3,7 @@ title: How to create a bucket description: Create a new bucket in Scaleway Object Storage. tags: object storage bucket object-storage dates: - validation: 2025-07-01 + validation: 2026-06-02 posted: 2021-05-27 --- import Requirements from '@macros/iam/requirements.mdx' @@ -28,7 +28,7 @@ To get started with Object Storage, you must first create a bucket. Objects are A private file stored in a public bucket is not publicly accessible. You can change the bucket visibility at any time from the **Bucket settings** tab. -6. Optionally, tick **SSE-ONE encryption with Scaleway Object Native Encryption keys** to encrypt your objects with keys managed by Scaleway. +6. Optionally, tick **Enable bucket encryption** and select an encryption type ([SSE-ONE](/object-storage/how-to/enable-sse-one/) or [SSE-KMS](/object-storage/how-to/enable-sse-kms/)) to encrypt your objects with keys managed by Scaleway (in the case of SSE-ONE) or by your organization via Scaleway's [Key Manager](/key-manager/concepts/) (in the case of SSE-KMS). 7. Optionally, configure [bucket versioning](/object-storage/how-to/use-bucket-versioning/): - Tick **Enable bucket versioning** to store multiple versions of your objects (this may lead to higher storage costs). - Tick **Enable object lock** to prevent objects from being deleted or overwritten for a defined retention period. Object lock requires versioning to be enabled. diff --git a/pages/object-storage/how-to/enable-sse-kms.mdx b/pages/object-storage/how-to/enable-sse-kms.mdx new file mode 100644 index 0000000000..eab85de879 --- /dev/null +++ b/pages/object-storage/how-to/enable-sse-kms.mdx @@ -0,0 +1,87 @@ +--- +title: Enabling server-side encryption with Key Management Service (SSE-KMS) using the Scaleway console +description: Enable server-side encryption with Key Management Service (SSE-KMS) for Object Storage using the Scaleway console. +tags: object storage server side encryption kms cli scaleway own keys +dates: + validation: 2026-06-03 + posted: 2026-06-04 +--- +import Requirements from '@macros/iam/requirements.mdx' + +This page explains how to use SSE-KMS with the Scaleway Console. +{/*To use it with the AWS CLI, refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-kms/).*/} + +**S**erver-**S**ide **E**ncryption with **K**ey **M**anagement **S**ervice (SSE-KMS) is an encryption-at-rest option for Object Storage that uses a Key Management Service to handle encryption keys. It allows you to encrypt data when it is uploaded, and decrypt it when accessed, with your organization managing encryption keys (AES-256-GCM) through Scaleway's [Key Manager](/key-manager/concepts/). + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) (optional) + +## How to enable SSE-KMS during bucket creation + +When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bucket/), follow these steps to enable SSE-KMS: + +1. Tick the **Enable bucket encryption** box and select the **SSE-KMS** encryption type. + +2. Select a KMS key. You have the following options: + + - **Select an existing key**: Use the drop-down to select a key that you [set up earlier via Key Manager](/key-manager/how-to/create-km-key/). + - **Create a new KMS key**: Provide a name for your new key. When you click **Create bucket**, a new key is created and available for managing via Key Manager. + + + The key created in Key Manager is a key encryption key (KEK), which is now associated with your bucket. This KEK is used to encrypt and decrypt data encryption keys (DEKs) whenever Object Storage requests it. The DEKs (which are not stored in Key Manager) are the keys that will encrypt and decrypt the objects added to the bucket; they are stored by Object Storage. For security best practices regarding DEKs, see [Understanding security measures when using Key Manager](/key-manager/reference-content/security-recommendations/). + +Following bucket creation, objects pushed to this bucket will be automatically encrypted at rest with your key managed via Key Manager. + + + Regularly rotating your encryption keys is good practice to reduce the risk of exposure if a key is compromised. For details on how to rotate a key, see [Rotate keys using the Scaleway console](/key-manager/how-to/rotate-kem-keys/). + + +## How to enable SSE-KMS on an existing bucket + +1. Click **Object Storage** in the **Storage** section of the side menu. The list of your buckets displays. + +2. Click the name of the desired bucket. The **Overview** tab displays. + +3. Select the **Settings** tab. + +4. Under **Bucket encryption**, click **Edit encryption mode**. A pop-up displays. + +5. Tick the **Enable bucket encryption** box, then select **SSE-KMS**. + +6. Select a KMS key. You have the following options: + + - **Select an existing key**: Use the drop-down to select a key that you [set up via Key Manager](/key-manager/how-to/create-km-key/) earlier. + - **Create a new KMS key**: Provide a name for your new key. When you click **Confirm**, a new key is created and available for managing via Key Manager. + +7. Click **Confirm**. + +New objects uploaded to this bucket will be automatically encrypted at rest with your key managed via Key Manager. + + +Objects uploaded to this bucket before enabling SSE-KMS will not be encrypted. + + +## How to disable SSE-KMS on an existing bucket + +1. Click **Object Storage** in the **Storage** section of the side menu. The list of your buckets displays. + +2. Click the name of the desired bucket. The **Overview** tab displays. + +3. Select the **Settings** tab. + +4. Under **Bucket encryption**, click **Edit encryption mode**. A pop-up displays. + +5. Uncheck the **Enable bucket encryption** box. + +6. Click **Confirm**. The **Disable encryption for my bucket** pop-up displays. + +7. Type **DISABLE**, then click **Confirm**. + + + Your current encryption key will no longer be accessible on your bucket once the change is applied. Make sure you have saved or backed up your existing key before proceeding. + + +New objects uploaded to this bucket will not be encrypted. However, objects uploaded while SSE-KMS was enabled will remain encrypted. \ No newline at end of file diff --git a/pages/object-storage/how-to/enable-sse-one.mdx b/pages/object-storage/how-to/enable-sse-one.mdx index acd7b33496..97595f0767 100644 --- a/pages/object-storage/how-to/enable-sse-one.mdx +++ b/pages/object-storage/how-to/enable-sse-one.mdx @@ -3,7 +3,7 @@ title: Enabling server-side encryption with object native encryption (SSE-ONE) u description: Enable server-side encryption with object native encryption (SSE-ONE) for Object Storage using the Scaleway console. tags: object storage server side encryption sse one cli scaleway managed keys dates: - validation: 2026-02-24 + validation: 2026-06-02 posted: 2026-02-24 --- import Requirements from '@macros/iam/requirements.mdx' @@ -21,7 +21,7 @@ This page explains how to use SSE-ONE with the Scaleway Console. To use it with ## How to enable SSE-ONE during bucket creation -When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bucket/), you can enable SSE-ONE using the toggle under **Bucket encryption**. +When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bucket/), you can enable SSE-ONE by ticking the **Enable bucket encryption** box and selecting the **SSE-ONE** encryption type. Objects pushed to this bucket will be automatically encrypted at rest with keys managed by Scaleway. @@ -35,7 +35,9 @@ Objects pushed to this bucket will be automatically encrypted at rest with keys 4. Click **Edit encryption mode**, under **Bucket encryption**. A pop-up displays. -5. Click the toggle to enable SSE-ONE, then click **Edit** to confirm. +5. Tick the **Enable bucket encryption** box, then select **SSE-ONE**. + +6. Click **Confirm**. New objects uploaded to this bucket will be automatically encrypted at rest with keys managed by Scaleway. @@ -53,6 +55,15 @@ Objects uploaded to this bucket before enabling SSE-ONE will not be encrypted. 4. Click **Edit encryption mode**, under **Bucket encryption**. A pop-up displays. -5. Click the toggle to disable SSE-ONE, then click **Edit** to confirm. +5. Uncheck the **Enable bucket encryption** box. + +6. Click **Confirm**. The **Disable encryption for my bucket** pop-up displays. + +7. Type **DISABLE**, then click **Confirm**. + + + Once you disable encryption for the bucket, any data encrypted with the previous key will become unreadable unless you retain a copy of the key. + + New objects uploaded to this bucket will not be encrypted. However, objects uploaded while SSE-ONE was enabled will remain encrypted. \ No newline at end of file diff --git a/pages/object-storage/menu.ts b/pages/object-storage/menu.ts index 013c68524e..7f9a4effd7 100644 --- a/pages/object-storage/menu.ts +++ b/pages/object-storage/menu.ts @@ -62,6 +62,10 @@ export const objectStorageMenu = { label: 'Enable SSE-ONE', slug: 'enable-sse-one', }, + { + label: 'Enable SSE-KMS', + slug: 'enable-sse-kms', + }, { label: 'Use object lock', slug: 'use-object-lock', From 3342ce79531c5ccf8b6100503987c448d0d8611d Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Wed, 3 Jun 2026 07:56:13 +0200 Subject: [PATCH 02/14] feat(object-storage): add SSE-KMS MTA-7193 --- pages/key-manager/faq.mdx | 2 +- pages/object-storage/how-to/enable-sse-kms.mdx | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/pages/key-manager/faq.mdx b/pages/key-manager/faq.mdx index cb9086c89c..ce366c3a56 100644 --- a/pages/key-manager/faq.mdx +++ b/pages/key-manager/faq.mdx @@ -18,7 +18,7 @@ Key Manager helps organizations achieve secure key management by handling low-le Scaleway Key Manager allows you to create, manage, and use cryptographic keys in a centralized and secure service. All your cryptographic operations can be delegated to Key Manager, which in turn ensures the security and availability of your keys. -Key Manager is compatible with Object Storage to store and manage bucket encryption keys. +Key Manager is [integrated with Object Storage](/object-storage/how-to/enable-sse-kms/) to store and manage bucket encryption keys. ## Offering and availability diff --git a/pages/object-storage/how-to/enable-sse-kms.mdx b/pages/object-storage/how-to/enable-sse-kms.mdx index eab85de879..5f0f8e1b6e 100644 --- a/pages/object-storage/how-to/enable-sse-kms.mdx +++ b/pages/object-storage/how-to/enable-sse-kms.mdx @@ -13,6 +13,14 @@ This page explains how to use SSE-KMS with the Scaleway Console. **S**erver-**S**ide **E**ncryption with **K**ey **M**anagement **S**ervice (SSE-KMS) is an encryption-at-rest option for Object Storage that uses a Key Management Service to handle encryption keys. It allows you to encrypt data when it is uploaded, and decrypt it when accessed, with your organization managing encryption keys (AES-256-GCM) through Scaleway's [Key Manager](/key-manager/concepts/). +When you use SSE-KMS, you set up a symmetric [key encryption key (KEK)](/key-manager/concepts/#key-encryption-key-kek) via Key Manager and associate that KEK with a bucket. This KEK encrypts and decrypts the [data encryption keys (DEKs)](/key-manager/concepts/#data-encryption-key-dek) that Object Storage uses to encrypt and decrypt the objects added to the bucket. + +The KEK is generated, stored, and managed via Key Manager, whereas DEKs are generated by Key Manager on-demand (when Object Storage requests them), and are then stored by Object Storage. + +Both key types have associated security best‑practice guidance: +- Rotate your KEK – see [Rotate keys using the Scaleway console](/key-manager/how-to/rotate-kem-keys/). +- Secure DEKs – see [Understanding security measures when using Key Manager](/key-manager/reference-content/security-recommendations/). + - A Scaleway account logged into the [console](https://console.scaleway.com) @@ -31,7 +39,7 @@ When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bu - **Create a new KMS key**: Provide a name for your new key. When you click **Create bucket**, a new key is created and available for managing via Key Manager. - The key created in Key Manager is a key encryption key (KEK), which is now associated with your bucket. This KEK is used to encrypt and decrypt data encryption keys (DEKs) whenever Object Storage requests it. The DEKs (which are not stored in Key Manager) are the keys that will encrypt and decrypt the objects added to the bucket; they are stored by Object Storage. For security best practices regarding DEKs, see [Understanding security measures when using Key Manager](/key-manager/reference-content/security-recommendations/). + The KMS key that you select here is the key encryption key (KEK) mentioned above. Following bucket creation, objects pushed to this bucket will be automatically encrypted at rest with your key managed via Key Manager. From b623e99946be8078b11f67dfaa4ecffd41f468dc Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Wed, 3 Jun 2026 08:22:21 +0200 Subject: [PATCH 03/14] feat(object-storage): add SSE-KMS MTA-7193 --- .../object-storage/how-to/enable-sse-kms.mdx | 20 ++++++++----------- 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/pages/object-storage/how-to/enable-sse-kms.mdx b/pages/object-storage/how-to/enable-sse-kms.mdx index 5f0f8e1b6e..a56132179b 100644 --- a/pages/object-storage/how-to/enable-sse-kms.mdx +++ b/pages/object-storage/how-to/enable-sse-kms.mdx @@ -17,9 +17,9 @@ When you use SSE-KMS, you set up a symmetric [key encryption key (KEK)](/key-man The KEK is generated, stored, and managed via Key Manager, whereas DEKs are generated by Key Manager on-demand (when Object Storage requests them), and are then stored by Object Storage. -Both key types have associated security best‑practice guidance: -- Rotate your KEK – see [Rotate keys using the Scaleway console](/key-manager/how-to/rotate-kem-keys/). -- Secure DEKs – see [Understanding security measures when using Key Manager](/key-manager/reference-content/security-recommendations/). +Both key types have associated security best practices: +- [Regularly rotate your KEK](/key-manager/how-to/rotate-kem-keys/) +- [Secure your DEKs](/key-manager/reference-content/security-recommendations/) @@ -38,14 +38,9 @@ When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bu - **Select an existing key**: Use the drop-down to select a key that you [set up earlier via Key Manager](/key-manager/how-to/create-km-key/). - **Create a new KMS key**: Provide a name for your new key. When you click **Create bucket**, a new key is created and available for managing via Key Manager. + The KMS key that you select here is the key encryption key (KEK) mentioned above. - The KMS key that you select here is the key encryption key (KEK) mentioned above. - -Following bucket creation, objects pushed to this bucket will be automatically encrypted at rest with your key managed via Key Manager. - - - Regularly rotating your encryption keys is good practice to reduce the risk of exposure if a key is compromised. For details on how to rotate a key, see [Rotate keys using the Scaleway console](/key-manager/how-to/rotate-kem-keys/). - +Following bucket creation, objects pushed to this bucket will be automatically encrypted at rest with your keys generated via Key Manager. ## How to enable SSE-KMS on an existing bucket @@ -63,10 +58,11 @@ Following bucket creation, objects pushed to this bucket will be automatically e - **Select an existing key**: Use the drop-down to select a key that you [set up via Key Manager](/key-manager/how-to/create-km-key/) earlier. - **Create a new KMS key**: Provide a name for your new key. When you click **Confirm**, a new key is created and available for managing via Key Manager. + The KMS key that you select here is the key encryption key (KEK) mentioned above. 7. Click **Confirm**. -New objects uploaded to this bucket will be automatically encrypted at rest with your key managed via Key Manager. +New objects uploaded to this bucket will be automatically encrypted at rest with your keys generated via Key Manager. Objects uploaded to this bucket before enabling SSE-KMS will not be encrypted. @@ -89,7 +85,7 @@ Objects uploaded to this bucket before enabling SSE-KMS will not be encrypted. 7. Type **DISABLE**, then click **Confirm**. - Your current encryption key will no longer be accessible on your bucket once the change is applied. Make sure you have saved or backed up your existing key before proceeding. + Your current encryption key will no longer be accessible on your bucket once the change is applied. Make sure you have saved or backed up your existing key before proceeding. {/*If the key is available via Key Manager, why do we need this message? Does it concern the DEKs?*/} New objects uploaded to this bucket will not be encrypted. However, objects uploaded while SSE-KMS was enabled will remain encrypted. \ No newline at end of file From 50a8dd09f86c01dbb9a4308577f3f45ade4af630 Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Wed, 3 Jun 2026 09:47:45 +0200 Subject: [PATCH 04/14] feat(object-storage): add SSE-KMS MTA-7193 --- pages/object-storage/how-to/enable-sse-kms.mdx | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pages/object-storage/how-to/enable-sse-kms.mdx b/pages/object-storage/how-to/enable-sse-kms.mdx index a56132179b..9664182f87 100644 --- a/pages/object-storage/how-to/enable-sse-kms.mdx +++ b/pages/object-storage/how-to/enable-sse-kms.mdx @@ -21,11 +21,21 @@ Both key types have associated security best practices: - [Regularly rotate your KEK](/key-manager/how-to/rotate-kem-keys/) - [Secure your DEKs](/key-manager/reference-content/security-recommendations/) +Scaleway SSE-KMS behaves similarly to Server-side Encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS). + + +Scaleway also supports: + - SSE-ONE - For details, refer to the [dedicated documentation](/object-storage/how-to/enable-sse-one/). + - SSE-C - For details, refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-c/). + + - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization - An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) (optional) +{/*Any other prerequisite?*/} + ## How to enable SSE-KMS during bucket creation @@ -58,6 +68,7 @@ Following bucket creation, objects pushed to this bucket will be automatically e - **Select an existing key**: Use the drop-down to select a key that you [set up via Key Manager](/key-manager/how-to/create-km-key/) earlier. - **Create a new KMS key**: Provide a name for your new key. When you click **Confirm**, a new key is created and available for managing via Key Manager. + The KMS key that you select here is the key encryption key (KEK) mentioned above. 7. Click **Confirm**. From 86fe4bf3754c2450176128f35ee9927af1751cb0 Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Wed, 3 Jun 2026 09:58:07 +0200 Subject: [PATCH 05/14] feat(object-storage): add SSE-KMS MTA-7193 --- pages/object-storage/how-to/enable-sse-kms.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/object-storage/how-to/enable-sse-kms.mdx b/pages/object-storage/how-to/enable-sse-kms.mdx index 9664182f87..0f7a88e7f7 100644 --- a/pages/object-storage/how-to/enable-sse-kms.mdx +++ b/pages/object-storage/how-to/enable-sse-kms.mdx @@ -25,8 +25,8 @@ Scaleway SSE-KMS behaves similarly to Server-side Encryption with AWS Key Manage Scaleway also supports: - - SSE-ONE - For details, refer to the [dedicated documentation](/object-storage/how-to/enable-sse-one/). - - SSE-C - For details, refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-c/). + - [Server-Side Encryption with Object Native Encryption (SSE-ONE)](/object-storage/how-to/enable-sse-one/) + - [Server-Side Encryption with Customer-provided keys (SSE-C)](/object-storage/api-cli/enable-sse-c/) From 434303a0adb1a30131e0f8c55f5bbec3efc81902 Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Wed, 3 Jun 2026 11:24:12 +0200 Subject: [PATCH 06/14] feat(object-storage): add SSE-KMS MTA-7193 --- pages/object-storage/how-to/enable-sse-kms.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/object-storage/how-to/enable-sse-kms.mdx b/pages/object-storage/how-to/enable-sse-kms.mdx index 0f7a88e7f7..1a41013ba0 100644 --- a/pages/object-storage/how-to/enable-sse-kms.mdx +++ b/pages/object-storage/how-to/enable-sse-kms.mdx @@ -15,7 +15,7 @@ This page explains how to use SSE-KMS with the Scaleway Console. When you use SSE-KMS, you set up a symmetric [key encryption key (KEK)](/key-manager/concepts/#key-encryption-key-kek) via Key Manager and associate that KEK with a bucket. This KEK encrypts and decrypts the [data encryption keys (DEKs)](/key-manager/concepts/#data-encryption-key-dek) that Object Storage uses to encrypt and decrypt the objects added to the bucket. -The KEK is generated, stored, and managed via Key Manager, whereas DEKs are generated by Key Manager on-demand (when Object Storage requests them), and are then stored by Object Storage. +The KEK is generated, stored, and managed via Key Manager, whereas DEKs are generated and operated by Object Storage and encrypted by the KEK. Both key types have associated security best practices: - [Regularly rotate your KEK](/key-manager/how-to/rotate-kem-keys/) @@ -96,7 +96,7 @@ Objects uploaded to this bucket before enabling SSE-KMS will not be encrypted. 7. Type **DISABLE**, then click **Confirm**. - Your current encryption key will no longer be accessible on your bucket once the change is applied. Make sure you have saved or backed up your existing key before proceeding. {/*If the key is available via Key Manager, why do we need this message? Does it concern the DEKs?*/} + Once the change is applied, the encryption key (the KEK) will disappear from the bucket view, but objects encrypted with the previous SSE‑KMS configuration still depend on it. The key will remain available in Key Manager, but remember to not remove it. Deleting the key will make all previously encrypted objects inaccessible permanently. New objects uploaded to this bucket will not be encrypted. However, objects uploaded while SSE-KMS was enabled will remain encrypted. \ No newline at end of file From 1b6dc92a442a5636c033d7e6de927188a8d0b2b2 Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Wed, 3 Jun 2026 13:52:41 +0200 Subject: [PATCH 07/14] feat(object-storage): add SSE-KMS MTA-7193 --- pages/object-storage/how-to/enable-sse-one.mdx | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pages/object-storage/how-to/enable-sse-one.mdx b/pages/object-storage/how-to/enable-sse-one.mdx index 97595f0767..cce20df6e4 100644 --- a/pages/object-storage/how-to/enable-sse-one.mdx +++ b/pages/object-storage/how-to/enable-sse-one.mdx @@ -61,9 +61,5 @@ Objects uploaded to this bucket before enabling SSE-ONE will not be encrypted. 7. Type **DISABLE**, then click **Confirm**. - - Once you disable encryption for the bucket, any data encrypted with the previous key will become unreadable unless you retain a copy of the key. - - New objects uploaded to this bucket will not be encrypted. However, objects uploaded while SSE-ONE was enabled will remain encrypted. \ No newline at end of file From 84b629237d299a491956d8cffc1088576195fdda Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Wed, 3 Jun 2026 15:26:28 +0200 Subject: [PATCH 08/14] feat(object-storage): add SSE-KMS MTA-7193 --- macros/object-storage/sse-one-introduction.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/macros/object-storage/sse-one-introduction.mdx b/macros/object-storage/sse-one-introduction.mdx index 83c88036d0..b045c1f329 100644 --- a/macros/object-storage/sse-one-introduction.mdx +++ b/macros/object-storage/sse-one-introduction.mdx @@ -9,5 +9,7 @@ By default, SSE-ONE is applied per-upload, meaning that you must specify the enc Scaleway SSE-ONE behaves similarly to Server Side Encryption with Amazon S3 managed keys (SSE-S3). -Scaleway also supports SSE-C. Refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-c/) for more information. +Scaleway also supports: + - [Server-Side Encryption with Customer-provided keys (SSE-C)](/object-storage/api-cli/enable-sse-c/) + - [Server-Side Encryption with Key Management Service (SSE-KMS)](/object-storage/how-to/enable-sse-kms/) \ No newline at end of file From 930f70aca5b53872cbb7ebefb32b40495b9e8d7d Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Wed, 3 Jun 2026 16:49:46 +0200 Subject: [PATCH 09/14] feat(object-storage): add SSE-KMS MTA-7193 --- pages/object-storage/how-to/enable-sse-kms.mdx | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/pages/object-storage/how-to/enable-sse-kms.mdx b/pages/object-storage/how-to/enable-sse-kms.mdx index 1a41013ba0..697bbe0c0a 100644 --- a/pages/object-storage/how-to/enable-sse-kms.mdx +++ b/pages/object-storage/how-to/enable-sse-kms.mdx @@ -43,12 +43,18 @@ When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bu 1. Tick the **Enable bucket encryption** box and select the **SSE-KMS** encryption type. -2. Select a KMS key. You have the following options: +2. Select a KMS key. + + The KMS key that you select here is the key encryption key (KEK) mentioned above. + + You have the following options: - **Select an existing key**: Use the drop-down to select a key that you [set up earlier via Key Manager](/key-manager/how-to/create-km-key/). - **Create a new KMS key**: Provide a name for your new key. When you click **Create bucket**, a new key is created and available for managing via Key Manager. - The KMS key that you select here is the key encryption key (KEK) mentioned above. + + If you choose to create a new KMS key, it is automatically created with the “Protected” status. The key cannot be deleted via the console or the API, preventing accidental removal. The only way to disable key protection is through [Key Manager](/key-manager/). + Following bucket creation, objects pushed to this bucket will be automatically encrypted at rest with your keys generated via Key Manager. From 8526b217390dc5232a1ed4e7174d82a0b5dfbec3 Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Wed, 3 Jun 2026 17:04:30 +0200 Subject: [PATCH 10/14] feat(object-storage): add SSE-KMS MTA-7193 --- pages/object-storage/how-to/enable-sse-kms.mdx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pages/object-storage/how-to/enable-sse-kms.mdx b/pages/object-storage/how-to/enable-sse-kms.mdx index 697bbe0c0a..ad689e3666 100644 --- a/pages/object-storage/how-to/enable-sse-kms.mdx +++ b/pages/object-storage/how-to/enable-sse-kms.mdx @@ -58,6 +58,10 @@ When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bu Following bucket creation, objects pushed to this bucket will be automatically encrypted at rest with your keys generated via Key Manager. + +As a best practice, we recommend to use one specific KMS key per bucket, rather than the same KMS key for several buckets. + + ## How to enable SSE-KMS on an existing bucket 1. Click **Object Storage** in the **Storage** section of the side menu. The list of your buckets displays. @@ -101,7 +105,7 @@ Objects uploaded to this bucket before enabling SSE-KMS will not be encrypted. 7. Type **DISABLE**, then click **Confirm**. - + Once the change is applied, the encryption key (the KEK) will disappear from the bucket view, but objects encrypted with the previous SSE‑KMS configuration still depend on it. The key will remain available in Key Manager, but remember to not remove it. Deleting the key will make all previously encrypted objects inaccessible permanently. From 9e9c571193f03f80de74301ca032c8fc6e7c0fa5 Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Wed, 3 Jun 2026 21:23:46 +0200 Subject: [PATCH 11/14] feat(object-storage): add SSE-KMS MTA-7193 --- pages/object-storage/how-to/enable-sse-kms.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/object-storage/how-to/enable-sse-kms.mdx b/pages/object-storage/how-to/enable-sse-kms.mdx index ad689e3666..17ac2eaad5 100644 --- a/pages/object-storage/how-to/enable-sse-kms.mdx +++ b/pages/object-storage/how-to/enable-sse-kms.mdx @@ -59,7 +59,7 @@ When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bu Following bucket creation, objects pushed to this bucket will be automatically encrypted at rest with your keys generated via Key Manager. -As a best practice, we recommend to use one specific KMS key per bucket, rather than the same KMS key for several buckets. +As a best practice, we recommend using a dedicated KMS key for each bucket, rather than sharing a single key across multiple buckets. ## How to enable SSE-KMS on an existing bucket From 3ad81f224e4c9d78fad6692b265d2a04c8a85dfd Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Wed, 3 Jun 2026 23:53:05 +0200 Subject: [PATCH 12/14] feat(object-storage): add SSE-KMS MTA-7193 --- .../object-storage/sse-kms-introduction.mdx | 21 ++++++++ .../object-storage/api-cli/enable-sse-kms.mdx | 52 +++++++++++++++++++ .../object-storage/how-to/enable-sse-kms.mdx | 23 ++------ pages/object-storage/menu.ts | 4 ++ 4 files changed, 80 insertions(+), 20 deletions(-) create mode 100644 macros/object-storage/sse-kms-introduction.mdx create mode 100644 pages/object-storage/api-cli/enable-sse-kms.mdx diff --git a/macros/object-storage/sse-kms-introduction.mdx b/macros/object-storage/sse-kms-introduction.mdx new file mode 100644 index 0000000000..c0b03df2fe --- /dev/null +++ b/macros/object-storage/sse-kms-introduction.mdx @@ -0,0 +1,21 @@ +--- +title: sse-kms-introduction +--- + +**S**erver-**S**ide **E**ncryption with **K**ey **M**anagement **S**ervice (SSE-KMS) is an encryption-at-rest option for Object Storage that uses a Key Management Service to handle encryption keys. It allows you to encrypt data when it is uploaded, and decrypt it when accessed, with your organization managing encryption keys (AES-256-GCM) through Scaleway's [Key Manager](/key-manager/concepts/). + +When you use SSE-KMS, you set up a symmetric [key encryption key (KEK)](/key-manager/concepts/#key-encryption-key-kek) via Key Manager and associate that KEK with a bucket. This KEK encrypts and decrypts the [data encryption keys (DEKs)](/key-manager/concepts/#data-encryption-key-dek) that Object Storage uses to encrypt and decrypt the objects added to the bucket. + +The KEK is generated, stored, and managed via Key Manager, whereas DEKs are generated and operated by Object Storage and encrypted by the KEK. + +Both key types have associated security best practices: +- [Regularly rotate your KEK](/key-manager/how-to/rotate-kem-keys/) +- [Secure your DEKs](/key-manager/reference-content/security-recommendations/) + +Scaleway SSE-KMS behaves similarly to Server-side Encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS). + + +Scaleway also supports: + - [Server-Side Encryption with Object Native Encryption (SSE-ONE)](/object-storage/how-to/enable-sse-one/) + - [Server-Side Encryption with Customer-provided keys (SSE-C)](/object-storage/api-cli/enable-sse-c/) + \ No newline at end of file diff --git a/pages/object-storage/api-cli/enable-sse-kms.mdx b/pages/object-storage/api-cli/enable-sse-kms.mdx new file mode 100644 index 0000000000..af6850355e --- /dev/null +++ b/pages/object-storage/api-cli/enable-sse-kms.mdx @@ -0,0 +1,52 @@ +--- +title: Enabling server-side encryption with Key Management Service (SSE-KMS) using the AWS CLI +description: Enable server-side encryption with Key Management Service (SSE-KMS) for Scaleway Object Storage. +tags: object storage server side encryption sse kms cli scaleway own keys +dates: + validation: 2026-06-04 + posted: 2026-06-04 +--- +import Requirements from '@macros/iam/requirements.mdx' +import SseKmsIntroduction from '@macros/object-storage/sse-kms-introduction.mdx' + +This page explains how to use SSE-KMS with the AWS CLI. To use it with the Scaleway console, refer to the [dedicated documentation](/object-storage/how-to/enable-sse-kms/). + + + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) +- Installed and initialized the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/) + +## Enabling SSE-KMS for an object upload + +Objects uploaded **after** enabling SSE-KMS are automatically encrypted. However, objects existing in the bucket before enabling SSE-KMS will not be encrypted, as encryption occurs during object upload. + +When you upload an object (for example, you re-upload a previously unencrypted object), you can choose to enable SSE-KMS for that particular object upload. + +In a terminal, run the following command. Remember to replace placeholders with actual values. + + ```bash + aws s3api put-object \ + --bucket \ + --key \ + --server-side-encryption aws:kms \ + --bucket-key-enabled + --ssekms-key-id \ + --body + ``` +An output similar to the following displays: + + ```json + { + "ETag": "\"\"", + "ChecksumCRC64NVME": "", + "ChecksumType": "FULL_OBJECT", + "ServerSideEncryption": "aws:kms", + "SSEKMSKeyId": "", + "BucketKeyEnabled": true + } + ``` + diff --git a/pages/object-storage/how-to/enable-sse-kms.mdx b/pages/object-storage/how-to/enable-sse-kms.mdx index 17ac2eaad5..dab902e07f 100644 --- a/pages/object-storage/how-to/enable-sse-kms.mdx +++ b/pages/object-storage/how-to/enable-sse-kms.mdx @@ -7,34 +7,17 @@ dates: posted: 2026-06-04 --- import Requirements from '@macros/iam/requirements.mdx' +import SseKmsIntroduction from '@macros/object-storage/sse-kms-introduction.mdx' -This page explains how to use SSE-KMS with the Scaleway Console. -{/*To use it with the AWS CLI, refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-kms/).*/} +This page explains how to use SSE-KMS with the Scaleway Console. To use it with the AWS CLI, refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-kms/). -**S**erver-**S**ide **E**ncryption with **K**ey **M**anagement **S**ervice (SSE-KMS) is an encryption-at-rest option for Object Storage that uses a Key Management Service to handle encryption keys. It allows you to encrypt data when it is uploaded, and decrypt it when accessed, with your organization managing encryption keys (AES-256-GCM) through Scaleway's [Key Manager](/key-manager/concepts/). - -When you use SSE-KMS, you set up a symmetric [key encryption key (KEK)](/key-manager/concepts/#key-encryption-key-kek) via Key Manager and associate that KEK with a bucket. This KEK encrypts and decrypts the [data encryption keys (DEKs)](/key-manager/concepts/#data-encryption-key-dek) that Object Storage uses to encrypt and decrypt the objects added to the bucket. - -The KEK is generated, stored, and managed via Key Manager, whereas DEKs are generated and operated by Object Storage and encrypted by the KEK. - -Both key types have associated security best practices: -- [Regularly rotate your KEK](/key-manager/how-to/rotate-kem-keys/) -- [Secure your DEKs](/key-manager/reference-content/security-recommendations/) - -Scaleway SSE-KMS behaves similarly to Server-side Encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS). - - -Scaleway also supports: - - [Server-Side Encryption with Object Native Encryption (SSE-ONE)](/object-storage/how-to/enable-sse-one/) - - [Server-Side Encryption with Customer-provided keys (SSE-C)](/object-storage/api-cli/enable-sse-c/) - + - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization - An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) (optional) -{/*Any other prerequisite?*/} ## How to enable SSE-KMS during bucket creation diff --git a/pages/object-storage/menu.ts b/pages/object-storage/menu.ts index 7f9a4effd7..ccee16856d 100644 --- a/pages/object-storage/menu.ts +++ b/pages/object-storage/menu.ts @@ -157,6 +157,10 @@ export const objectStorageMenu = { label: 'Enabling SSE-ONE', slug: 'enable-sse-one', }, + { + label: 'Enabling SSE-KMS', + slug: 'enable-sse-kms', + }, { label: 'Setting CORS rules', slug: 'setting-cors-rules', From 92422f32db4431940e7fbca365ab59869204cbb8 Mon Sep 17 00:00:00 2001 From: vanda-scw Date: Thu, 4 Jun 2026 11:48:18 +0200 Subject: [PATCH 13/14] Update pages/key-manager/faq.mdx Co-authored-by: Loic-kd --- pages/key-manager/faq.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/key-manager/faq.mdx b/pages/key-manager/faq.mdx index ce366c3a56..7bc4d4a459 100644 --- a/pages/key-manager/faq.mdx +++ b/pages/key-manager/faq.mdx @@ -1,5 +1,5 @@ --- -title: Key Manager +title: Key Manager FAQ description: Explore Scaleway Key Manager with our comprehensive FAQ covering security, key types, and more. dates: validation: 2025-12-19 From e33d0e8602539adbfcc9127782ecbd673a239569 Mon Sep 17 00:00:00 2001 From: Vanda ILLYES Date: Thu, 4 Jun 2026 13:46:24 +0200 Subject: [PATCH 14/14] feat(object-storage): add SSE-KMS MTA-7193 --- .../object-storage/api-cli/enable-sse-kms.mdx | 40 ++++++++++++++++--- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/pages/object-storage/api-cli/enable-sse-kms.mdx b/pages/object-storage/api-cli/enable-sse-kms.mdx index af6850355e..61c7a49125 100644 --- a/pages/object-storage/api-cli/enable-sse-kms.mdx +++ b/pages/object-storage/api-cli/enable-sse-kms.mdx @@ -13,6 +13,12 @@ This page explains how to use SSE-KMS with the AWS CLI. To use it with the Scale +When it comes to setting up your key architecture, the recommended practice is to always set default bucket encryption by enabling a Bucket Key via [PutBucketEncryption](/object-storage/api-cli/bucket-operations/#putbucketencryption). When this is active and you have configured SSE‑KMS, Object Storage automatically creates a Bucket Key that is encrypted with your KMS key (the KEK). The Bucket Key, in turn, encrypts the per‑object data encryption keys (DEKs) that protect the actual object data. + +In cases when you have some objects that are stored without SSE‑KMS, you can: +- Re‑upload an object and [enable SSE‑KMS for that specific object upload](#enabling-sse-kms-for-an-object-upload) +- Copy an object using the same bucket as the source and the destination and [enable SSE‑KMS for that specific copy operation](#enable-ssekms-for-a-specific-copy-operation) + - A Scaleway account logged into the [console](https://console.scaleway.com) @@ -22,10 +28,6 @@ This page explains how to use SSE-KMS with the AWS CLI. To use it with the Scale ## Enabling SSE-KMS for an object upload -Objects uploaded **after** enabling SSE-KMS are automatically encrypted. However, objects existing in the bucket before enabling SSE-KMS will not be encrypted, as encryption occurs during object upload. - -When you upload an object (for example, you re-upload a previously unencrypted object), you can choose to enable SSE-KMS for that particular object upload. - In a terminal, run the following command. Remember to replace placeholders with actual values. ```bash @@ -42,7 +44,7 @@ An output similar to the following displays: ```json { "ETag": "\"\"", - "ChecksumCRC64NVME": "", + "ChecksumCRC64NVME": "", "ChecksumType": "FULL_OBJECT", "ServerSideEncryption": "aws:kms", "SSEKMSKeyId": "", @@ -50,3 +52,31 @@ An output similar to the following displays: } ``` +## Enable SSE‑KMS for a specific copy operation + +In a terminal, run the following command. Remember to replace placeholders with actual values. + + ```bash + aws s3api copy-object \ + --copy-source / \ + --key \ + --bucket \ + --server-side-encryption aws:kms \ + --bucket-key-enabled \ + --sse-kms-key-id + ``` + +An output similar to the following displays: + + ```json + { + "ServerSideEncryption": "aws:kms", + "SSEKMSKeyId": "", + "BucketKeyEnabled": true, + "CopyObjectResult": { + "ETag": "\"\"", + "LastModified": "yyyy-MM-ddTHH:mm:ss.SSSZ", + "ChecksumCRC64NVME": "" + } + } + ``` \ No newline at end of file