From 188a8b74a3b8b4ee7eb63a23de14aae6a7360a4e Mon Sep 17 00:00:00 2001 From: Florent Viel Date: Fri, 17 Oct 2025 15:27:39 +0200 Subject: [PATCH 1/7] feat(tutorial): add tutorial to store sse-c key into secret manager --- .../index.mdx | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 tutorials/object-storage-sse-c-with-secret-manager/index.mdx diff --git a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx new file mode 100644 index 0000000000..f6a3da80f4 --- /dev/null +++ b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx @@ -0,0 +1,79 @@ +--- +meta: + title: Using Secret Manager to store encryption key for SSE-C + description: Learn how to use Secret Manager to store encryption key for Object Storage and SSE-C. +content: + h1: Using Secret Manager to store encryption key for SSE-C + paragraph: Learn how to use Secret Manager to store encryption key for Object Storage and SSE-C. +tags: object-storage secret-manager encryption +categories: + - object-storage + - secret-manager + - key-manager +dates: + validation: 2025-10-15 + posted: 2025-10-15 +--- +import Requirements from '@macros/iam/requirements.mdx' + +In this tutorial you'll learn how to use the Secret manager to store the encryption key used with [SSE-C](/object-storage/api-cli/enable-sse-c/). + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization +- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) +- Installed and initialized the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/) + +The goal here, is to use the Key Manager to generate the encryption key, store the encryption key in the Secret Manager, then use it for Object Storage SSE-C. + +### Generating the encryption key + +With the following commands, you will create a key in the Key Manager, generate the encryption key and then store it in the Secret Manager. + +```bash +KEY_ID=$(scw keymanager key create -o template="{{.ID}}") +DATA_KEY=$(scw keymanager key generate-data-key "$KEY_ID" -o json | jq -r .plaintext | base64 -d) +SECRET_ID=$(scw secret secret create name=ssec-key path=/keys -o template="{{.ID}}") +scw secret version create "$SECRET_ID" data="$DATA_KEY" +``` + +### Encryption key and digest preparation + +First you access the secret version to get the encryption key, then you need to encode it to base64 and calculate the digest of the key, also encoded in base64. + +```bash +scw secret version access "$SECRET_ID" revision=latest raw=true > ssec.key +ENCRYPTION_KEY=$(cat ssec.key | base64) +KEY_DIGEST=$(openssl dgst -md5 -binary ssec.key | base64) +``` + + +If you delete the secret containing the encryption key, you also lose the data encrypted with it, as you will not be able to perform `GET` operations on encrypted objects without the corresponding key. + + +### Upload and download object with SSE-C + +Run the command below to upload an object and encrypt it. Make sure to replace ``, ``, and `` with the correct values. + +```bash +aws s3api put-object \ + --bucket \ + --key \ + --body \ + --sse-customer-algorithm AES256 \ + --sse-customer-key $ENCRYPTION_KEY \ + --sse-customer-key-md5 $KEY_DIGEST +``` + +Run the command below to download the previously uploaded object and decrypt it. Make sure to replace ``, ``, and `` with the correct values. + +```bash +aws s3api get-object \ + --bucket \ + --key \ + \ + --sse-customer-algorithm AES256 \ + --sse-customer-key $ENCRYPTION_KEY \ + --sse-customer-key-md5 $KEY_DIGEST +``` From f424f9a9d81aca89057ca40e2ff609f21ab8ae9f Mon Sep 17 00:00:00 2001 From: Florent Viel Date: Fri, 17 Oct 2025 15:49:58 +0200 Subject: [PATCH 2/7] fix(tutorial): change command in sse-c tutorial --- tutorials/object-storage-sse-c-with-secret-manager/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx index f6a3da80f4..98029df27b 100644 --- a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx +++ b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx @@ -33,9 +33,9 @@ With the following commands, you will create a key in the Key Manager, generate ```bash KEY_ID=$(scw keymanager key create -o template="{{.ID}}") -DATA_KEY=$(scw keymanager key generate-data-key "$KEY_ID" -o json | jq -r .plaintext | base64 -d) +scw keymanager key generate-data-key "$KEY_ID" -o json | jq -r .plaintext | base64 -d > ssec.key SECRET_ID=$(scw secret secret create name=ssec-key path=/keys -o template="{{.ID}}") -scw secret version create "$SECRET_ID" data="$DATA_KEY" +scw secret version create "$SECRET_ID" data="@ssec.key" ``` ### Encryption key and digest preparation From e7a10d025a395e5729491ad23613911b364a75cb Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Thu, 23 Oct 2025 14:34:41 +0200 Subject: [PATCH 3/7] fix(tutorial): doc review 1 --- .../index.mdx | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx index 98029df27b..3a65b391d9 100644 --- a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx +++ b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx @@ -16,7 +16,7 @@ dates: --- import Requirements from '@macros/iam/requirements.mdx' -In this tutorial you'll learn how to use the Secret manager to store the encryption key used with [SSE-C](/object-storage/api-cli/enable-sse-c/). +In this tutorial you will learn how to use the Secret manager to store the encryption key used with [SSE-C](/object-storage/api-cli/enable-sse-c/). @@ -25,11 +25,11 @@ In this tutorial you'll learn how to use the Secret manager to store the encrypt - An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) - Installed and initialized the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/) -The goal here, is to use the Key Manager to generate the encryption key, store the encryption key in the Secret Manager, then use it for Object Storage SSE-C. +The goal here is to use Key Manager to generate the encryption key, store the encryption key in Secret Manager, then use it to encrypt Object Storage objects SSE-C. ### Generating the encryption key -With the following commands, you will create a key in the Key Manager, generate the encryption key and then store it in the Secret Manager. +Run the following commands to create a key in Key Manager, generate the encryption key, then store it in Secret Manager. ```bash KEY_ID=$(scw keymanager key create -o template="{{.ID}}") @@ -40,7 +40,7 @@ scw secret version create "$SECRET_ID" data="@ssec.key" ### Encryption key and digest preparation -First you access the secret version to get the encryption key, then you need to encode it to base64 and calculate the digest of the key, also encoded in base64. +Run the following command to access the secret version to get the encryption key, encode it to base64, calculate the digest of the key (also encoded in base64), and store the outputs in environment variables. ```bash scw secret version access "$SECRET_ID" revision=latest raw=true > ssec.key @@ -54,26 +54,26 @@ If you delete the secret containing the encryption key, you also lose the data e ### Upload and download object with SSE-C -Run the command below to upload an object and encrypt it. Make sure to replace ``, ``, and `` with the correct values. - -```bash -aws s3api put-object \ - --bucket \ - --key \ - --body \ - --sse-customer-algorithm AES256 \ - --sse-customer-key $ENCRYPTION_KEY \ - --sse-customer-key-md5 $KEY_DIGEST -``` - -Run the command below to download the previously uploaded object and decrypt it. Make sure to replace ``, ``, and `` with the correct values. - -```bash -aws s3api get-object \ - --bucket \ - --key \ - \ - --sse-customer-algorithm AES256 \ - --sse-customer-key $ENCRYPTION_KEY \ - --sse-customer-key-md5 $KEY_DIGEST -``` +1. Run the command below to upload an object and encrypt it. Make sure to replace ``, ``, and `` with the correct values. + + ```bash + aws s3api put-object \ + --bucket \ + --key \ + --body \ + --sse-customer-algorithm AES256 \ + --sse-customer-key $ENCRYPTION_KEY \ + --sse-customer-key-md5 $KEY_DIGEST + ``` + +2. Run the command below to download the previously uploaded object and decrypt it. Make sure to replace ``, ``, and `` with the correct values. + + ```bash + aws s3api get-object \ + --bucket \ + --key \ + \ + --sse-customer-algorithm AES256 \ + --sse-customer-key $ENCRYPTION_KEY \ + --sse-customer-key-md5 $KEY_DIGEST + ``` From 0d3fae7f67234d5380996a99806b96ea1949b8db Mon Sep 17 00:00:00 2001 From: Samy OUBOUAZIZ Date: Thu, 23 Oct 2025 14:42:44 +0200 Subject: [PATCH 4/7] fix(tutorial): doc review 2 --- .../index.mdx | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx index 3a65b391d9..8b0208321c 100644 --- a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx +++ b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx @@ -16,7 +16,7 @@ dates: --- import Requirements from '@macros/iam/requirements.mdx' -In this tutorial you will learn how to use the Secret manager to store the encryption key used with [SSE-C](/object-storage/api-cli/enable-sse-c/). +In this tutorial you will learn how to use Key Manager and Secret Manager to generate and store an encryption key used with [SSE-C](/object-storage/api-cli/enable-sse-c/) to encrypt and decrypt objects stored in a Scaleway Object Storage bucket. @@ -27,7 +27,7 @@ In this tutorial you will learn how to use the Secret manager to store the encry The goal here is to use Key Manager to generate the encryption key, store the encryption key in Secret Manager, then use it to encrypt Object Storage objects SSE-C. -### Generating the encryption key +## Generating the encryption key Run the following commands to create a key in Key Manager, generate the encryption key, then store it in Secret Manager. @@ -38,9 +38,9 @@ SECRET_ID=$(scw secret secret create name=ssec-key path=/keys -o template="{{.ID scw secret version create "$SECRET_ID" data="@ssec.key" ``` -### Encryption key and digest preparation +## Preparing the encryption key and its digest -Run the following command to access the secret version to get the encryption key, encode it to base64, calculate the digest of the key (also encoded in base64), and store the outputs in environment variables. +Run the following command to access the secret version to get the encryption key, encode it to base64, calculate the MD5 digest of the key (also encoded in base64), and store the outputs in environment variables. ```bash scw secret version access "$SECRET_ID" revision=latest raw=true > ssec.key @@ -77,3 +77,7 @@ If you delete the secret containing the encryption key, you also lose the data e --sse-customer-key $ENCRYPTION_KEY \ --sse-customer-key-md5 $KEY_DIGEST ``` + +You can now use Key Manager and Secret Manager to safely create and store an encryption key to secure your Object Storage deployment with SSE-C. + +Refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-c/) for more information on how to use SSE-C for Scaleway Object Storage. \ No newline at end of file From 11606c3ccab255b4107989af6928b2c2c93ffd27 Mon Sep 17 00:00:00 2001 From: Florent Viel Date: Mon, 27 Oct 2025 10:49:46 +0100 Subject: [PATCH 5/7] docs: split commands in ordered list with dedicated comments --- .../index.mdx | 51 +++++++++++++++---- 1 file changed, 40 insertions(+), 11 deletions(-) diff --git a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx index 8b0208321c..9dc2bb7335 100644 --- a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx +++ b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx @@ -31,22 +31,51 @@ The goal here is to use Key Manager to generate the encryption key, store the en Run the following commands to create a key in Key Manager, generate the encryption key, then store it in Secret Manager. -```bash -KEY_ID=$(scw keymanager key create -o template="{{.ID}}") -scw keymanager key generate-data-key "$KEY_ID" -o json | jq -r .plaintext | base64 -d > ssec.key -SECRET_ID=$(scw secret secret create name=ssec-key path=/keys -o template="{{.ID}}") -scw secret version create "$SECRET_ID" data="@ssec.key" -``` +1. Create a key on the Key Manager + + ```bash + KEY_ID=$(scw keymanager key create -o template="{{.ID}}") + ``` + +2. Generate the data encryption key + + ```bash + scw keymanager key generate-data-key "$KEY_ID" -o json | jq -r .plaintext | base64 -d > ssec.key + ``` + +3. Create a secret in the Secret manager to store the data encryption key + + ```bash + SECRET_ID=$(scw secret secret create name=ssec-key path=/keys -o template="{{.ID}}") + ``` + +4. Store the data encryption key + + ```bash + scw secret version create "$SECRET_ID" data="@ssec.key" + ``` ## Preparing the encryption key and its digest Run the following command to access the secret version to get the encryption key, encode it to base64, calculate the MD5 digest of the key (also encoded in base64), and store the outputs in environment variables. -```bash -scw secret version access "$SECRET_ID" revision=latest raw=true > ssec.key -ENCRYPTION_KEY=$(cat ssec.key | base64) -KEY_DIGEST=$(openssl dgst -md5 -binary ssec.key | base64) -``` +1. Accessing the raw key + + ```bash + scw secret version access "$SECRET_ID" revision=latest raw=true > ssec.key + ``` + +2. Serialize it to base64 + + ```bash + ENCRYPTION_KEY=$(cat ssec.key | base64) + ``` + +3. Compute the MD5 digest + + ```bash + KEY_DIGEST=$(openssl dgst -md5 -binary ssec.key | base64) + ``` If you delete the secret containing the encryption key, you also lose the data encrypted with it, as you will not be able to perform `GET` operations on encrypted objects without the corresponding key. From b41bf840d272cc832325a36d23c5bec4a0500bf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9da?= <87707325+nerda-codes@users.noreply.github.com> Date: Mon, 27 Oct 2025 15:52:56 +0100 Subject: [PATCH 6/7] docs(review): test and review of tuto --- .../index.mdx | 109 ++++++++++-------- 1 file changed, 61 insertions(+), 48 deletions(-) diff --git a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx index 9dc2bb7335..8227ab5c13 100644 --- a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx +++ b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx @@ -2,111 +2,124 @@ meta: title: Using Secret Manager to store encryption key for SSE-C description: Learn how to use Secret Manager to store encryption key for Object Storage and SSE-C. -content: - h1: Using Secret Manager to store encryption key for SSE-C - paragraph: Learn how to use Secret Manager to store encryption key for Object Storage and SSE-C. tags: object-storage secret-manager encryption -categories: +products: - object-storage - secret-manager - key-manager dates: validation: 2025-10-15 posted: 2025-10-15 + validation_frequency: 12 +difficulty: beginner +usecase: + - manage-share-and-store-data +ecosystem: + - scaleway-only --- import Requirements from '@macros/iam/requirements.mdx' -In this tutorial you will learn how to use Key Manager and Secret Manager to generate and store an encryption key used with [SSE-C](/object-storage/api-cli/enable-sse-c/) to encrypt and decrypt objects stored in a Scaleway Object Storage bucket. +This tutorial explains how to use Key Manager and Secret Manager to generate and store an encryption key for [SSE-C](/object-storage/api-cli/enable-sse-c/), used to encrypt and decrypt objects in your Scaleway Object Storage bucket. - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization -- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/) +- [Created](/object-storage/how-to/create-a-bucket/) an Object Storage bucket - Installed and initialized the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/) -The goal here is to use Key Manager to generate the encryption key, store the encryption key in Secret Manager, then use it to encrypt Object Storage objects SSE-C. +The goal of this tutorial is to: -## Generating the encryption key +- Generate an encryption key using Key Manager +- Store it securely in Secret Manager +- Use it to encrypt your Object Storage objects with SSE-C -Run the following commands to create a key in Key Manager, generate the encryption key, then store it in Secret Manager. +## Generating the encryption key -1. Create a key on the Key Manager +1. Open a terminal and create a key in Key Manager: - ```bash - KEY_ID=$(scw keymanager key create -o template="{{.ID}}") - ``` + ```bash + KEY_ID=$(scw keymanager key create -o template="{{.ID}}") + ``` -2. Generate the data encryption key +2. Run the following command to generate a data encryption key: - ```bash - scw keymanager key generate-data-key "$KEY_ID" -o json | jq -r .plaintext | base64 -d > ssec.key - ``` + ```bash + scw keymanager key generate-data-key "$KEY_ID" -o json | jq -r .plaintext | base64 -d > ssec.key + ``` -3. Create a secret in the Secret manager to store the data encryption key +3. Create a secret in Secret manager to store the data encryption key: - ```bash - SECRET_ID=$(scw secret secret create name=ssec-key path=/keys -o template="{{.ID}}") - ``` + ```bash + SECRET_ID=$(scw secret secret create name=ssec-key path=/keys -o template="{{.ID}}") + ``` -4. Store the data encryption key +4. Store the data encryption key in Secret Manager: - ```bash - scw secret version create "$SECRET_ID" data="@ssec.key" - ``` + ```bash + scw secret version create "$SECRET_ID" data="@ssec.key" + ``` ## Preparing the encryption key and its digest -Run the following command to access the secret version to get the encryption key, encode it to base64, calculate the MD5 digest of the key (also encoded in base64), and store the outputs in environment variables. +You must now retrieve the encryption key from Secret Manager, encode it to base64, compute its MD5 digest, and store both values in environment variables. -1. Accessing the raw key +1. Access the secret version to retrieve the raw key: - ```bash - scw secret version access "$SECRET_ID" revision=latest raw=true > ssec.key - ``` + ```bash + scw secret version access "$SECRET_ID" revision=latest raw=true > ssec.key + ``` -2. Serialize it to base64 +2. Encode the key to base64: - ```bash - ENCRYPTION_KEY=$(cat ssec.key | base64) - ``` + ```bash + ENCRYPTION_KEY=$(cat ssec.key | base64) + ``` -3. Compute the MD5 digest +3. Compute the MD5 digest of the key: - ```bash - KEY_DIGEST=$(openssl dgst -md5 -binary ssec.key | base64) - ``` + ```bash + KEY_DIGEST=$(openssl dgst -md5 -binary ssec.key | base64) + ``` -If you delete the secret containing the encryption key, you also lose the data encrypted with it, as you will not be able to perform `GET` operations on encrypted objects without the corresponding key. + If you delete the secret containing the encryption key, you also lose the data encrypted with it, as you will not be able to perform `GET` operations on encrypted objects without the corresponding key. -### Upload and download object with SSE-C +### Upload and download objects with SSE-C -1. Run the command below to upload an object and encrypt it. Make sure to replace ``, ``, and `` with the correct values. +1. Upload an object of your choice to your bucket and encrypt it. Make sure that you replace: + + - `` with the name of your bucket + - `` with the desired name of the object in the bucket + - `` with the path to the file you want to upload ```bash aws s3api put-object \ - --bucket \ - --key \ + --bucket \ + --key \ --body \ --sse-customer-algorithm AES256 \ --sse-customer-key $ENCRYPTION_KEY \ --sse-customer-key-md5 $KEY_DIGEST ``` -2. Run the command below to download the previously uploaded object and decrypt it. Make sure to replace ``, ``, and `` with the correct values. +2. Download the previously uploaded object and decrypt it. Make sure that you replace: + + - `` with the name of your bucket + - `` with the name of your object in the bucket + - `` with the local path where you want to save the file ```bash aws s3api get-object \ - --bucket \ - --key \ + --bucket \ + --key \ \ --sse-customer-algorithm AES256 \ --sse-customer-key $ENCRYPTION_KEY \ --sse-customer-key-md5 $KEY_DIGEST ``` -You can now use Key Manager and Secret Manager to safely create and store an encryption key to secure your Object Storage deployment with SSE-C. +You now know how to use Key Manager and Secret Manager to generate, store, and use an encryption key to protect your Object Storage data with SSE-C. -Refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-c/) for more information on how to use SSE-C for Scaleway Object Storage. \ No newline at end of file +Refer to the [dedicated documentation](/object-storage/api-cli/enable-sse-c/) for more information on how to use SSE-C for Scaleway Object Storage. From 3031c8277cc9b05a4a78cef80656ea90a28c2652 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9da?= <87707325+nerda-codes@users.noreply.github.com> Date: Tue, 28 Oct 2025 10:52:05 +0100 Subject: [PATCH 7/7] Update tutorials/object-storage-sse-c-with-secret-manager/index.mdx --- tutorials/object-storage-sse-c-with-secret-manager/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx index 8227ab5c13..e8b0383939 100644 --- a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx +++ b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx @@ -8,8 +8,8 @@ products: - secret-manager - key-manager dates: - validation: 2025-10-15 - posted: 2025-10-15 + validation: 2025-10-28 + posted: 2025-10-28 validation_frequency: 12 difficulty: beginner usecase: