Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions macros/object-storage/sse-kms-introduction.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---
title: sse-kms-introduction
---

**S**erver-**S**ide **E**ncryption with **K**ey **M**anagement **S**ervice (SSE-KMS) is an encryption-at-rest option for Object Storage that uses a Key Management Service to handle encryption keys. It allows you to encrypt data when it is uploaded, and decrypt it when accessed, with your organization managing encryption keys (AES-256-GCM) through Scaleway's [Key Manager](/key-manager/concepts/).

When you use SSE-KMS, you set up a symmetric [key encryption key (KEK)](/key-manager/concepts/#key-encryption-key-kek) via Key Manager and associate that KEK with a bucket. This KEK encrypts and decrypts the [data encryption keys (DEKs)](/key-manager/concepts/#data-encryption-key-dek) that Object Storage uses to encrypt and decrypt the objects added to the bucket.

The KEK is generated, stored, and managed via Key Manager, whereas DEKs are generated and operated by Object Storage and encrypted by the KEK.

Both key types have associated security best practices:
- [Regularly rotate your KEK](/key-manager/how-to/rotate-kem-keys/)
- [Secure your DEKs](/key-manager/reference-content/security-recommendations/)

Scaleway SSE-KMS behaves similarly to Server-side Encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS).

<Message type="note">
Scaleway also supports:
- [Server-Side Encryption with Object Native Encryption (SSE-ONE)](/object-storage/how-to/enable-sse-one/)
- [Server-Side Encryption with Customer-provided keys (SSE-C)](/object-storage/api-cli/enable-sse-c/)
</Message>
4 changes: 3 additions & 1 deletion macros/object-storage/sse-one-introduction.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,7 @@ By default, SSE-ONE is applied per-upload, meaning that you must specify the enc
Scaleway SSE-ONE behaves similarly to Server Side Encryption with Amazon S3 managed keys (SSE-S3).

<Message type="note">
Scaleway also supports SSE-C. Refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-c/) for more information.
Scaleway also supports:
- [Server-Side Encryption with Customer-provided keys (SSE-C)](/object-storage/api-cli/enable-sse-c/)
- [Server-Side Encryption with Key Management Service (SSE-KMS)](/object-storage/how-to/enable-sse-kms/)
</Message>
4 changes: 3 additions & 1 deletion pages/key-manager/faq.mdx
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
title: Key Manager
title: Key Manager FAQ
description: Explore Scaleway Key Manager with our comprehensive FAQ covering security, key types, and more.
dates:
validation: 2025-12-19
Expand All @@ -18,6 +18,8 @@ Key Manager helps organizations achieve secure key management by handling low-le

Scaleway Key Manager allows you to create, manage, and use cryptographic keys in a centralized and secure service. All your cryptographic operations can be delegated to Key Manager, which in turn ensures the security and availability of your keys.

Key Manager is [integrated with Object Storage](/object-storage/how-to/enable-sse-kms/) to store and manage bucket encryption keys.

## Offering and availability

### Which cryptographic operations does Key Manager support?
Expand Down
82 changes: 82 additions & 0 deletions pages/object-storage/api-cli/enable-sse-kms.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
---
title: Enabling server-side encryption with Key Management Service (SSE-KMS) using the AWS CLI
description: Enable server-side encryption with Key Management Service (SSE-KMS) for Scaleway Object Storage.
tags: object storage server side encryption sse kms cli scaleway own keys
dates:
validation: 2026-06-04
posted: 2026-06-04
---
import Requirements from '@macros/iam/requirements.mdx'
import SseKmsIntroduction from '@macros/object-storage/sse-kms-introduction.mdx'

This page explains how to use SSE-KMS with the AWS CLI. To use it with the Scaleway console, refer to the [dedicated documentation](/object-storage/how-to/enable-sse-kms/).

<SseKmsIntroduction />

When it comes to setting up your key architecture, the recommended practice is to always set default bucket encryption by enabling a Bucket Key via [PutBucketEncryption](/object-storage/api-cli/bucket-operations/#putbucketencryption). When this is active and you have configured SSE‑KMS, Object Storage automatically creates a Bucket Key that is encrypted with your KMS key (the KEK). The Bucket Key, in turn, encrypts the per‑object data encryption keys (DEKs) that protect the actual object data.

In cases when you have some objects that are stored without SSE‑KMS, you can:
- Re‑upload an object and [enable SSE‑KMS for that specific object upload](#enabling-sse-kms-for-an-object-upload)
- Copy an object using the same bucket as the source and the destination and [enable SSE‑KMS for that specific copy operation](#enable-ssekms-for-a-specific-copy-operation)

<Requirements />

- A Scaleway account logged into the [console](https://console.scaleway.com)
- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/)
- Installed and initialized the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/)

## Enabling SSE-KMS for an object upload

In a terminal, run the following command. Remember to replace placeholders with actual values.

```bash
aws s3api put-object \
--bucket <your-bucket-name> \
--key <your-object-key> \
--server-side-encryption aws:kms \
--bucket-key-enabled
--ssekms-key-id <your-kms-key-id> \
--body <path-to-file-to-upload>
```
An output similar to the following displays:

```json
{
"ETag": "\"<object-metadata>\"",
"ChecksumCRC64NVME": "<checksum-value>",
"ChecksumType": "FULL_OBJECT",
"ServerSideEncryption": "aws:kms",
"SSEKMSKeyId": "<your-kms-key-id>",
"BucketKeyEnabled": true
}
```

## Enable SSE‑KMS for a specific copy operation

In a terminal, run the following command. Remember to replace placeholders with actual values.

```bash
aws s3api copy-object \
--copy-source <your-bucket-name>/<your-object-filename> \
--key <your-object-key> \
--bucket <your-bucket-name> \
--server-side-encryption aws:kms \
--bucket-key-enabled \
--sse-kms-key-id <your-kms-key-id>
```

An output similar to the following displays:

```json
{
"ServerSideEncryption": "aws:kms",
"SSEKMSKeyId": "<your-kms-key-id>",
"BucketKeyEnabled": true,
"CopyObjectResult": {
"ETag": "\"<object-metadata>\"",
"LastModified": "yyyy-MM-ddTHH:mm:ss.SSSZ",
"ChecksumCRC64NVME": "<checksum-value>"
}
}
```
4 changes: 2 additions & 2 deletions pages/object-storage/how-to/create-a-bucket.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: How to create a bucket
description: Create a new bucket in Scaleway Object Storage.
tags: object storage bucket object-storage
dates:
validation: 2025-07-01
validation: 2026-06-02
posted: 2021-05-27
---
import Requirements from '@macros/iam/requirements.mdx'
Expand All @@ -28,7 +28,7 @@ To get started with Object Storage, you must first create a bucket. Objects are
A private file stored in a public bucket is not publicly accessible.
You can change the bucket visibility at any time from the **Bucket settings** tab.
</Message>
6. Optionally, tick **SSE-ONE encryption with Scaleway Object Native Encryption keys** to encrypt your objects with keys managed by Scaleway.
6. Optionally, tick **Enable bucket encryption** and select an encryption type ([SSE-ONE](/object-storage/how-to/enable-sse-one/) or [SSE-KMS](/object-storage/how-to/enable-sse-kms/)) to encrypt your objects with keys managed by Scaleway (in the case of SSE-ONE) or by your organization via Scaleway's [Key Manager](/key-manager/concepts/) (in the case of SSE-KMS).
7. Optionally, configure [bucket versioning](/object-storage/how-to/use-bucket-versioning/):
- Tick **Enable bucket versioning** to store multiple versions of your objects (this may lead to higher storage costs).
- Tick **Enable object lock** to prevent objects from being deleted or overwritten for a defined retention period. Object lock requires versioning to be enabled.
Expand Down
95 changes: 95 additions & 0 deletions pages/object-storage/how-to/enable-sse-kms.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
---
title: Enabling server-side encryption with Key Management Service (SSE-KMS) using the Scaleway console
description: Enable server-side encryption with Key Management Service (SSE-KMS) for Object Storage using the Scaleway console.
tags: object storage server side encryption kms cli scaleway own keys
dates:
validation: 2026-06-03
posted: 2026-06-04
---
import Requirements from '@macros/iam/requirements.mdx'
import SseKmsIntroduction from '@macros/object-storage/sse-kms-introduction.mdx'

This page explains how to use SSE-KMS with the Scaleway Console. To use it with the AWS CLI, refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-kms/).

<SseKmsIntroduction />

<Requirements />

- A Scaleway account logged into the [console](https://console.scaleway.com)
- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) (optional)


## How to enable SSE-KMS during bucket creation

When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bucket/), follow these steps to enable SSE-KMS:

1. Tick the **Enable bucket encryption** box and select the **SSE-KMS** encryption type.

2. Select a KMS key.

The KMS key that you select here is the key encryption key (KEK) mentioned above.

You have the following options:

- **Select an existing key**: Use the drop-down to select a key that you [set up earlier via Key Manager](/key-manager/how-to/create-km-key/).
- **Create a new KMS key**: Provide a name for your new key. When you click **Create bucket**, a new key is created and available for managing via Key Manager.

<Message type="note">
If you choose to create a new KMS key, it is automatically created with the “Protected” status. The key cannot be deleted via the console or the API, preventing accidental removal. The only way to disable key protection is through [Key Manager](/key-manager/).
</Message>

Following bucket creation, objects pushed to this bucket will be automatically encrypted at rest with your keys generated via Key Manager.

<Message type="tip">
As a best practice, we recommend using a dedicated KMS key for each bucket, rather than sharing a single key across multiple buckets.
</Message>

## How to enable SSE-KMS on an existing bucket

1. Click **Object Storage** in the **Storage** section of the side menu. The list of your buckets displays.

2. Click the name of the desired bucket. The **Overview** tab displays.

3. Select the **Settings** tab.

4. Under **Bucket encryption**, click **Edit encryption mode**. A pop-up displays.

5. Tick the **Enable bucket encryption** box, then select **SSE-KMS**.

6. Select a KMS key. You have the following options:

- **Select an existing key**: Use the drop-down to select a key that you [set up via Key Manager](/key-manager/how-to/create-km-key/) earlier.
- **Create a new KMS key**: Provide a name for your new key. When you click **Confirm**, a new key is created and available for managing via Key Manager.

The KMS key that you select here is the key encryption key (KEK) mentioned above.

7. Click **Confirm**.

New objects uploaded to this bucket will be automatically encrypted at rest with your keys generated via Key Manager.

<Message type="important">
Objects uploaded to this bucket before enabling SSE-KMS will not be encrypted.
</Message>

## How to disable SSE-KMS on an existing bucket

1. Click **Object Storage** in the **Storage** section of the side menu. The list of your buckets displays.

2. Click the name of the desired bucket. The **Overview** tab displays.

3. Select the **Settings** tab.

4. Under **Bucket encryption**, click **Edit encryption mode**. A pop-up displays.

5. Uncheck the **Enable bucket encryption** box.

6. Click **Confirm**. The **Disable encryption for my bucket** pop-up displays.

7. Type **DISABLE**, then click **Confirm**.

<Message type="important">
Once the change is applied, the encryption key (the KEK) will disappear from the bucket view, but objects encrypted with the previous SSE‑KMS configuration still depend on it. The key will remain available in Key Manager, but remember to not remove it. Deleting the key will make all previously encrypted objects inaccessible permanently.
</Message>

New objects uploaded to this bucket will not be encrypted. However, objects uploaded while SSE-KMS was enabled will remain encrypted.
15 changes: 11 additions & 4 deletions pages/object-storage/how-to/enable-sse-one.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: Enabling server-side encryption with object native encryption (SSE-ONE) u
description: Enable server-side encryption with object native encryption (SSE-ONE) for Object Storage using the Scaleway console.
tags: object storage server side encryption sse one cli scaleway managed keys
dates:
validation: 2026-02-24
validation: 2026-06-02
posted: 2026-02-24
---
import Requirements from '@macros/iam/requirements.mdx'
Expand All @@ -21,7 +21,7 @@ This page explains how to use SSE-ONE with the Scaleway Console. To use it with

## How to enable SSE-ONE during bucket creation

When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bucket/), you can enable SSE-ONE using the toggle under **Bucket encryption**.
When you [create a new Object Storage bucket](/object-storage/how-to/create-a-bucket/), you can enable SSE-ONE by ticking the **Enable bucket encryption** box and selecting the **SSE-ONE** encryption type.

Objects pushed to this bucket will be automatically encrypted at rest with keys managed by Scaleway.

Expand All @@ -35,7 +35,9 @@ Objects pushed to this bucket will be automatically encrypted at rest with keys

4. Click **Edit encryption mode**, under **Bucket encryption**. A pop-up displays.

5. Click the toggle to enable SSE-ONE, then click **Edit** to confirm.
5. Tick the **Enable bucket encryption** box, then select **SSE-ONE**.

6. Click **Confirm**.

New objects uploaded to this bucket will be automatically encrypted at rest with keys managed by Scaleway.

Expand All @@ -53,6 +55,11 @@ Objects uploaded to this bucket before enabling SSE-ONE will not be encrypted.

4. Click **Edit encryption mode**, under **Bucket encryption**. A pop-up displays.

5. Click the toggle to disable SSE-ONE, then click **Edit** to confirm.
5. Uncheck the **Enable bucket encryption** box.

6. Click **Confirm**. The **Disable encryption for my bucket** pop-up displays.

7. Type **DISABLE**, then click **Confirm**.


New objects uploaded to this bucket will not be encrypted. However, objects uploaded while SSE-ONE was enabled will remain encrypted.
8 changes: 8 additions & 0 deletions pages/object-storage/menu.ts
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ export const objectStorageMenu = {
label: 'Enable SSE-ONE',
slug: 'enable-sse-one',
},
{
label: 'Enable SSE-KMS',
slug: 'enable-sse-kms',
},
{
label: 'Use object lock',
slug: 'use-object-lock',
Expand Down Expand Up @@ -153,6 +157,10 @@ export const objectStorageMenu = {
label: 'Enabling SSE-ONE',
slug: 'enable-sse-one',
},
{
label: 'Enabling SSE-KMS',
slug: 'enable-sse-kms',
},
{
label: 'Setting CORS rules',
slug: 'setting-cors-rules',
Expand Down
Loading