SSE-C Support for S3

Parseable supports server side encryption for AWS S3 with customer provided encryption keys (SSE-C). By using the SSE-C, you can store your data encrypted with your own encryption keys. Amazon S3 manages data encryption and decryption transparently, as Parseable stores the log data in S3. Note that SSE-C requires HTTPS and Amazon S3 or compatible service might reject any requests made over HTTP when using SSE-C.

Setting up

The encryption key must be a 256-bit key for AES-256 encryption. To add SSE-C encryption key, add the environment variable P_S3_SSEC_ENCRYPTION_KEY before starting the server. The value should be in the format - SSE-C:AES256:<base64_encryption_key>. Here is example of adding the SSE-C encryption key to Parseable

Generate a 256-bit (32-byte) AES key and base64 encode it

ENCRYPTION_KEY=$(openssl rand -base64 32)
echo "Encryption Key: $ENCRYPTION_KEY"

Add the Base64 encoded encryption key to the environment variable

P_S3_SSEC_ENCRYPTION_KEY=SSE-C:AES256:$ENCRYPTION_KEY

Considerations

For distributed deployments, the environment variable P_S3_SSEC_ENCRYPTION_KEY need to be set for Query as well as Ingestor nodes.

If you lose the encryption key, any GET request for an object without its encryption key fails, and you lose the object. Hence, it is recommended to use secure storage for the encryption key such as AWS Secrets Manager.