Parseable supports server side encryption for AWS S3 with customer provided encryption keys (SSE-C). With SSE-C, you can store your data encrypted with your own encryption keys. Amazon S3 or a compatible service like MinIO manages data encryption and decryption transparently.
Note that SSE-C requires HTTPS and Amazon S3 or compatible service might reject any requests made over HTTP when using SSE-C.
Setting up
The encryption key must be a 256-bit key for AES-256 encryption. To add SSE-C encryption key, add the environment variable P_S3_SSEC_ENCRYPTION_KEY before starting the server. The value should be in the format - SSE-C:AES256:<base64_encryption_key>. Here is example of adding the SSE-C encryption key to Parseable
Generate a 256-bit AES key and Base64 encode it
ENCRYPTION_KEY=$(openssl rand -base64 32)
echo "Encryption Key: $ENCRYPTION_KEY"
Add the Base64 encoded encryption key to the environment variable
P_S3_SSEC_ENCRYPTION_KEY=SSE-C:AES256:$ENCRYPTION_KEY
For distributed deployments, the environment variable P_S3_SSEC_ENCRYPTION_KEY needs to be set for Query as well as Ingestor nodes.
If you lose the encryption key, you’ll lose access to the log data. Hence, we recommend secure storage for the encryption key such as AWS Secrets Manager or similar.