If you're using SeaweedFS with the S3 API, you can encrypt objects at rest without changing your apps. We support the same server-side encryption (SSE) options as Amazon S3, so you can pick the one that fits how you already manage keys.

Use this quick guide to choose the right option:

• Pick this if: You already use a KMS and want strong audit trails
• Keys live in: External providers (AWS KMS, Google Cloud KMS, OpenBao/Vault, Azure Key Vault [experimental])
• Why teams like it: Centralized key management, detailed audit logs, per-bucket key assignment, optional Bucket Key optimization
• Configuration: Requires KMS provider setup in the S3 config
• Documentation: SSE-KMS Guide

• Pick this if: You want to bring your own keys and keep full control
• Keys live in: Your application (sent per request)
• Why teams like it: No key storage on the server; maximum control for compliance-heavy environments
• Configuration: Keys provided via HTTP headers
• Documentation: SSE-C Guide

• Pick this if: You want simple, fully managed encryption with minimal setup
• Keys live in: SeaweedFS (we handle the key management for you)
• Why teams like it: Works with explicit x-amz-server-side-encryption: AES256 and bucket default encryption; supports multipart uploads and range requests
• Configuration: Optional bucket-level default encryption via the standard S3 bucket encryption API

# Configure KMS in s3 config file (see KMS Providers Integration guide)
# Then upload with KMS encryption
aws s3 cp file.txt s3://mybucket/file.txt \
  --server-side-encryption aws:kms \
  --ssekms-key-id test-key-123

# Generate customer key
openssl rand 32 > customer-key.bin

# Upload with customer-provided key
aws s3 cp file.txt s3://mybucket/file.txt \
  --sse-c AES256 \
  --sse-c-key fileb://customer-key.bin

# Explicit SSE-S3 on upload (or configure bucket default encryption)
aws s3 cp file.txt s3://mybucket/file.txt \
  --server-side-encryption AES256

Configure KMS providers and IAM settings in your S3 config file:

{
  "identities": [
    {
      "name": "admin",
      "credentials": [{"accessKey": "admin", "secretKey": "password"}],
      "actions": ["Admin", "Read", "Write"]
    }
  ],
  "kms": {
    "default_provider": "openbao",
    "providers": {
      "openbao": {
        "type": "openbao",
        "address": "http://localhost:8200",
        "token": "root-token",
        "transit_path": "transit"
      }
    }
  }
}

Note: The S3 config JSON file contains both KMS encryption settings AND IAM-style access control (user identities, credentials, permissions).

# Start with KMS config
weed s3 -config=s3_kms_config.json

Supported Operations:

• All standard S3 operations (PUT, GET, HEAD, COPY, DELETE)
• Multipart uploads with consistent encryption
• Cross-encryption copy operations
• Object metadata preservation
• Range requests for SSE-C, SSE-KMS, and SSE-S3

AWS S3 Compatibility:

• Identical API behavior and headers
• Compatible with all S3 clients and SDKs
• Same error codes and responses

• SSE-KMS: Supports AWS KMS, Google Cloud KMS, OpenBao/Vault; Azure Key Vault is available behind the azurekms build tag (experimental)
• SSE-C: Full support with security best practices
• SSE-S3: Supported with SeaweedFS-managed keys and bucket default encryption

For hands-on setup guides and examples, see the individual encryption method docs linked above.