Bucket Encryption¶
Slightly different from AWS SSE, Zenko bucket encryption is transparent to the
application. Buckets are created with a special
x-amz-scal-server-side-encryption
header (value: AES256
), which
specifies that the bucket’s objects be encrypted, and thereafter there is no
need to change any object PUT or GET calls in the application as the
encrypt/decrypt behavior will simply occur (encrypt on PUT, decrypt on GET). In
contrast, AWS SSE can be quite intrusive, as it requires special headers on all
object-create calls, including Object Put, Object Copy, Object Post, and Multi
Part Upload requests.
Zenko bucket encryption is similar to SSE-C in its integration with a key management service (KMS). Zenko requires users to provide the KMS, which generates encryption keys on PUT calls and retrieves the same encryption key on GET calls. Thus, Zenko does not store encryption keys.
Zenko also uses standard 256-bit OpenSSL encryption libraries to perform payload encryption and decryption. This supports the Intel AES-NI CPU acceleration library, making encryption nearly as fast as non-encrypted performance.