SSE Command Line and API Examples SSE Command Line and API Examples

SSE Command Line and API Examples

Jared Scott Jared Scott

Server-side encryption protects your data by encrypting it before it is stored on disk by Backblaze B2 Cloud Storage. Files that are encrypted using server-side encryption (SSE) may be accessed using the same API calls as other B2 files (using either our B2 Native API or the S3 Compatible API).

 

Enabling/Disabling SSE-B2 using the API

To enable or disable SSE-B2 at the bucket level, you can use the b2_update_bucket B2 API with some additional JSON parameters.

 

Enable SSE-B2

"defaultServerSideEncryption": { 
   "mode": "SSE-B2",
   "algorithm": "AES256"
}

 

Here’s an example using curl

curl \
   -H 'Authorization: ACCOUNT_AUTHORIZATION_TOKEN' \
 -d '{ "accountId": "ACCOUNT_ID", "bucketId": "BUCKET_ID",
      "bucketType": "BUCKET_TYPE",
      "defaultServerSideEncryption": {
        "mode": "SSE-B2", "algorithm": "AES256" }}' \
   https://apiNNN.backblazeb2.com/b2api/v2/b2_update_bucket

Note: You first need to get an authorization token by calling b2_authorize_account with an Application Key.

 

Disable SSE-B2

"defaultServerSideEncryption": {
 "mode": null
}

 

Here’s an example using curl

curl \
   -H 'Authorization: ACCOUNT_AUTHORIZATION_TOKEN' \
   -d '{ "accountId": "ACCOUNT_ID", "bucketId": "BUCKET_ID",
      "bucketType": "BUCKET_TYPE",
       "defaultServerSideEncryption": { "mode": null }}' \
   https://apiNNN.backblazeb2.com/b2api/v2/b2_update_bucket


Note: You first need to get an authorization token by calling b2_authorize_account with an Application Key.

 

Uploading files with SSE-B2 enabled

Even without the setting turned on at the bucket level, you can enable it on individual file uploads by using the appropriate header information.

 

Upload using the AWS CLI with SSE-B2

aws s3 cp /path/to/myfile s3://mybucket/myfile --sse AES256 \
--endpoint-url <S3 endpoint>

Note: Here's a walkthrough of how to configure and use the AWS CLI with B2.

 

Upload using curl with SSE-B2

FILE_TO_UPLOAD=/path/to/myfile
SHA1_OF_FILE=$(openssl dgst -sha1 ${FILE_TO_UPLOAD} | awk '{print $2;}')
UPLOAD_URL=...                 # from b2_get_upload_url call
UPLOAD_AUTHORIZATION_TOKEN=... # from b2_get_upload_url call

curl \
   -H "Authorization: ${UPLOAD_AUTHORIZATION_TOKEN}" \
   -H "X-Bz-File-Name: ${FILE_TO_UPLOAD}" \
   -H "X-Bz-Content-Sha1: ${SHA1_OF_FILE}" \
   -H "X-Bz-Server-Side-Encryption: AES256" \
   --data-binary "@${FILE_TO_UPLOAD}" \
   ${UPLOAD_URL}

Note: You must call b2_get_upload_url for the UPLOAD_URL and UPLOAD_AUTHORIZATION_TOKEN. 

 

Uploading files with SSE-C enabled

You can learn more about SSE-C encryption keys by reading the Server-Side Encryption FAQ KB article.

 

Upload using the AWS CLI with SSE-C

aws s3 cp /path/to/myfile s3://mybucket/myfile --sse-c AES256 \
--sse-c-key <AES256 KEY> --endpoint-url <S3 endpoint>

Note: How to use the AWS CLI with B2.

 

Upload using curl with SSE-C

FILE_TO_UPLOAD=/path/to/myfile
SHA1_OF_FILE=$(openssl dgst -sha1 ${FILE_TO_UPLOAD} | awk '{print $2;}')
UPLOAD_URL=...                 # from b2_get_upload_url call
UPLOAD_AUTHORIZATION_TOKEN=... # from b2_get_upload_url call
SSE-C-KEY=                     # Base64 Encoded AES256 key
SSE-C-KEY-MD5=                 # MD5 of AES256 key

curl \
   -H "Authorization: ${UPLOAD_AUTHORIZATION_TOKEN}" \
   -H "X-Bz-File-Name: ${FILE_TO_UPLOAD}" \
   -H "X-Bz-Content-Sha1: ${SHA1_OF_FILE}" \
   -H "X-Bz-Server-Side-Encryption-Customer-Algorithm: AES256" \
   -H "X-Bz-Server-Side-Encryption-Customer-Key: ${SSE-C-KEY}" \
   -H "X-Bz-Server-Side-Encryption-Customer-Key-Md5: ${SSE-C-KEY-MD5}" \
   --data-binary "@${FILE_TO_UPLOAD}" \
   ${UPLOAD_URL}

Note: You must call b2_get_upload_url for the UPLOAD_URL and UPLOAD_AUTHORIZATION_TOKEN.

 

Server side copy with SSE

There are a few options to specify when using the b2_copy_file API in order to copy files or parts between buckets.

Server side copy using the AWS CLI with SSE-C

aws s3 cp s3://mybucket/myfile s3://mybucket/copy-of-my-file \ 
--sse-c-copy-source --sse-c-copy-source-key <AES SRC KEY> \
--sse-c --sse-c-key <AES DST KEY> --endpoint-url=<S3 endpoint>

Note: Here's a walkthrough of how to configure and use the AWS CLI with B2.

 

Server side copy JSON parameters

"sourceServerSideEncryption": {
 "mode": "SSE-C",
 "algorithm": "AES256",
 "customerKey": "<base64-encoded AES-256 encryption key>",
 "customerKeyMd5": "<base64-encoded MD5 digest of the key>"
},
"destinationServerSideEncryption": {
 "mode": "SSE-C",
 "algorithm": "AES256",
 "customerKey": "<base64-encoded AES-256 encryption key>",
 "customerKeyMd5": "<base64-encoded MD5 digest of the key>"
}

 

Server side copy using curl with SSE-C

curl \
   -H 'Authorization: ACCOUNT_AUTHORIZATION_TOKEN' \
 -d '{ "sourceFileId":"myfile", "fileName":"myfile-copy",
       "sourceServerSideEncryption": { "mode": "SSE-C",
         "algorithm": "AES256",
         "customerKey": "<base64-encoded AES-256 encryption key>",
         "customerKeyMd5": "<base64-encoded MD5 digest of the key>" },
       "destinationServerSideEncryption": { "mode": "SSE-C",
         "algorithm": "AES256",
         "customerKey": "<base64 AES-256 encryption key>",
           "customerKeyMd5": "<base64 MD5 digest of the key>" }}' \
   https://apiNNN.backblazeb2.com/b2api/v2/b2_copy_file