Server-side encryption protects your data by encrypting it before it is stored on disk by Backblaze B2 Cloud Storage. Files that are encrypted using server-side encryption (SSE) may be accessed using the same API calls as other B2 files (using either our B2 Native API or the S3 Compatible API).
Enabling/Disabling SSE-B2 using the API
To enable or disable SSE-B2 at the bucket level, you can use the b2_update_bucket B2 API with some additional JSON parameters.
Enable SSE-B2
"defaultServerSideEncryption": {
"mode": "SSE-B2",
"algorithm": "AES256"
}
Here’s an example using curl
curl \
-H 'Authorization: ACCOUNT_AUTHORIZATION_TOKEN' \
-d '{ "accountId": "ACCOUNT_ID", "bucketId": "BUCKET_ID",
"bucketType": "BUCKET_TYPE",
"defaultServerSideEncryption": {
"mode": "SSE-B2", "algorithm": "AES256" }}' \
https://apiNNN.backblazeb2.com/b2api/v2/b2_update_bucket
Note: You first need to get an authorization token by calling b2_authorize_account with an Application Key.
Disable SSE-B2
"defaultServerSideEncryption": {
"mode": null
}
Here’s an example using curl
curl \
-H 'Authorization: ACCOUNT_AUTHORIZATION_TOKEN' \
-d '{ "accountId": "ACCOUNT_ID", "bucketId": "BUCKET_ID",
"bucketType": "BUCKET_TYPE",
"defaultServerSideEncryption": { "mode": null }}' \
https://apiNNN.backblazeb2.com/b2api/v2/b2_update_bucket
Note: You first need to get an authorization token by calling b2_authorize_account with an Application Key.
Uploading files with SSE-B2 enabled
Even without the setting turned on at the bucket level, you can enable it on individual file uploads by using the appropriate header information.
Upload using the AWS CLI with SSE-B2
aws s3 cp /path/to/myfile s3://mybucket/myfile --sse AES256 \
--endpoint-url <S3 endpoint>
Note: Here's a walkthrough of how to configure and use the AWS CLI with B2.
Upload using curl with SSE-B2
FILE_TO_UPLOAD=/path/to/myfile
SHA1_OF_FILE=$(openssl dgst -sha1 ${FILE_TO_UPLOAD} | awk '{print $2;}')
UPLOAD_URL=... # from b2_get_upload_url call
UPLOAD_AUTHORIZATION_TOKEN=... # from b2_get_upload_url call
curl \
-H "Authorization: ${UPLOAD_AUTHORIZATION_TOKEN}" \
-H "X-Bz-File-Name: ${FILE_TO_UPLOAD}" \
-H "X-Bz-Content-Sha1: ${SHA1_OF_FILE}" \
-H "X-Bz-Server-Side-Encryption: AES256" \
--data-binary "@${FILE_TO_UPLOAD}" \
${UPLOAD_URL}
Note: You must call b2_get_upload_url for the UPLOAD_URL and UPLOAD_AUTHORIZATION_TOKEN.
Uploading files with SSE-C enabled
You can learn more about SSE-C encryption keys by reading the Server-Side Encryption FAQ KB article.
Upload using the AWS CLI with SSE-C
aws s3 cp /path/to/myfile s3://mybucket/myfile --sse-c AES256 \
--sse-c-key <AES256 KEY> --endpoint-url <S3 endpoint>
Note: How to use the AWS CLI with B2.
Upload using curl with SSE-C
FILE_TO_UPLOAD=/path/to/myfile
SHA1_OF_FILE=$(openssl dgst -sha1 ${FILE_TO_UPLOAD} | awk '{print $2;}')
UPLOAD_URL=... # from b2_get_upload_url call
UPLOAD_AUTHORIZATION_TOKEN=... # from b2_get_upload_url call
SSE-C-KEY= # Base64 Encoded AES256 key
SSE-C-KEY-MD5= # MD5 of AES256 key
curl \
-H "Authorization: ${UPLOAD_AUTHORIZATION_TOKEN}" \
-H "X-Bz-File-Name: ${FILE_TO_UPLOAD}" \
-H "X-Bz-Content-Sha1: ${SHA1_OF_FILE}" \
-H "X-Bz-Server-Side-Encryption-Customer-Algorithm: AES256" \
-H "X-Bz-Server-Side-Encryption-Customer-Key: ${SSE-C-KEY}" \
-H "X-Bz-Server-Side-Encryption-Customer-Key-Md5: ${SSE-C-KEY-MD5}" \
--data-binary "@${FILE_TO_UPLOAD}" \
${UPLOAD_URL}
Note: You must call b2_get_upload_url for the UPLOAD_URL and UPLOAD_AUTHORIZATION_TOKEN.
Server side copy with SSE
There are a few options to specify when using the b2_copy_file API in order to copy files or parts between buckets.
Server side copy using the AWS CLI with SSE-C
aws s3 cp s3://mybucket/myfile s3://mybucket/copy-of-my-file \
--sse-c-copy-source --sse-c-copy-source-key <AES SRC KEY> \
--sse-c --sse-c-key <AES DST KEY> --endpoint-url=<S3 endpoint>
Note: Here's a walkthrough of how to configure and use the AWS CLI with B2.
Server side copy JSON parameters
"sourceServerSideEncryption": {
"mode": "SSE-C",
"algorithm": "AES256",
"customerKey": "<base64-encoded AES-256 encryption key>",
"customerKeyMd5": "<base64-encoded MD5 digest of the key>"
},
"destinationServerSideEncryption": {
"mode": "SSE-C",
"algorithm": "AES256",
"customerKey": "<base64-encoded AES-256 encryption key>",
"customerKeyMd5": "<base64-encoded MD5 digest of the key>"
}
Server side copy using curl with SSE-C
curl \
-H 'Authorization: ACCOUNT_AUTHORIZATION_TOKEN' \
-d '{ "sourceFileId":"myfile", "fileName":"myfile-copy",
"sourceServerSideEncryption": { "mode": "SSE-C",
"algorithm": "AES256",
"customerKey": "<base64-encoded AES-256 encryption key>",
"customerKeyMd5": "<base64-encoded MD5 digest of the key>" },
"destinationServerSideEncryption": { "mode": "SSE-C",
"algorithm": "AES256",
"customerKey": "<base64 AES-256 encryption key>",
"customerKeyMd5": "<base64 MD5 digest of the key>" }}' \
https://apiNNN.backblazeb2.com/b2api/v2/b2_copy_file
Articles in this section
- Object Lock FAQs
- Delivering Private Backblaze B2 Content Through Cloudflare CDN
- Bunny Integration Quick Start Guide
- Guide for using Fastly Compute @ Edge with Backblaze B2
- SSE Command Line and API Examples
- Does the B2 S3 Compatible API support Pre-Signed URLs?
- How to use Fastly CDN with B2
- Using the AWS SDK for Java (v2) with B2
- How to use the AWS SDK for Python with B2.
- Using the AWS SDK for PHP with Backblaze B2 Cloud Storage