Encryption¶
Hafiz supports server-side encryption (SSE) to protect your data at rest.
Encryption Methods¶
| Method | Description | Key Management |
|---|---|---|
| SSE-S3 | Hafiz-managed keys | Automatic |
| SSE-C | Customer-provided keys | You manage |
Enable Encryption¶
Server-Side Encryption (Default)¶
# Enable globally
HAFIZ_ENCRYPTION_ENABLED=true
HAFIZ_ENCRYPTION_MASTER_KEY=$(openssl rand -base64 32)
Per-Object Encryption¶
Customer-Provided Keys (SSE-C)¶
# Generate a key
KEY=$(openssl rand -base64 32)
KEY_MD5=$(echo -n "$KEY" | openssl dgst -md5 -binary | base64)
# Upload with SSE-C
aws --endpoint-url http://localhost:9000 s3 cp file.txt s3://my-bucket/ \
--sse-c AES256 \
--sse-c-key "$KEY"
# Download (must provide same key)
aws --endpoint-url http://localhost:9000 s3 cp s3://my-bucket/file.txt . \
--sse-c AES256 \
--sse-c-key "$KEY"
Encryption Details¶
Algorithm¶
- AES-256-GCM - Authenticated encryption
- 256-bit keys
- Per-object unique nonce
Key Derivation¶
Bucket Default Encryption¶
Set default encryption for all new objects:
aws --endpoint-url http://localhost:9000 s3api put-bucket-encryption \
--bucket my-bucket \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}'
Verify Encryption¶
# Check object encryption
aws --endpoint-url http://localhost:9000 s3api head-object \
--bucket my-bucket \
--key file.txt
# Output includes:
# "ServerSideEncryption": "AES256"
TLS (Encryption in Transit)¶
Enable TLS for network encryption:
Best Practices¶
Recommendations
- Enable encryption globally - Don't rely on per-object encryption
- Secure master key - Store in secrets management (Vault, K8s Secrets)
- Use TLS - Always encrypt data in transit
- Rotate keys - Plan for key rotation
- Backup keys - Encrypted data is lost if keys are lost
Compliance¶
Hafiz encryption helps meet:
- HIPAA - Healthcare data protection
- PCI-DSS - Payment card security
- GDPR - European data privacy
- SOC 2 - Security controls