-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Encryption on amazon s3
By default, objects uploaded to S3 do not get encrypted by Amazon servers before being stored on disk.
Add the s3_server_side_encryption option to enable server side encryption by Amazon servers before your objects are committed to disk.
has_attached_file :file, s3_permissions: :private,
s3_server_side_encryption: :aes256This adds the x-amz-server-side-encryption header upon upload by Paperclip, which triggers encryption by amazon.
Note: Until Pull Request #1398 is merged and released, the above does not work, and the header must be manually added:
has_attached_file :file, s3_permissions: :private,
s3_headers: { "x-amz-server-side-encryption" => "AES256" }
Presumably, SSL is being used to encrypt data transferred between clients and servers.
However, if explicit client side encryption is needed from your server to S3, an encryption pre-processor would be needed.
If explicit client side encryption from your client to your server, this must be handled outside the scope of paperclip with a client-side encryption library.