scaleway · nerda-codes · Oct 28, 2025 · Oct 17, 2025 · Oct 17, 2025 · Oct 23, 2025
diff --git a/tutorials/object-storage-sse-c-with-secret-manager/index.mdx b/tutorials/object-storage-sse-c-with-secret-manager/index.mdx
@@ -0,0 +1,79 @@
+---
+meta:
+  title: Using Secret Manager to store encryption key for SSE-C
+  description: Learn how to use Secret Manager to store encryption key for Object Storage and SSE-C.
+content:
+  h1: Using Secret Manager to store encryption key for SSE-C
+  paragraph: Learn how to use Secret Manager to store encryption key for Object Storage and SSE-C.
+tags: object-storage secret-manager encryption
+categories:
+  - object-storage
+  - secret-manager
+  - key-manager
+dates:
+  validation: 2025-10-15
+  posted: 2025-10-15
+---
+import Requirements from '@macros/iam/requirements.mdx'
+
+In this tutorial you'll learn how to use the Secret manager to store the encryption key used with [SSE-C](/object-storage/api-cli/enable-sse-c/).
+
+<Requirements />
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- An [Object Storage bucket](/object-storage/how-to/create-a-bucket/)
+- Installed and initialized the [AWS CLI](/object-storage/api-cli/object-storage-aws-cli/)
+
+The goal here, is to use the Key Manager to generate the encryption key, store the encryption key in the Secret Manager, then use it for Object Storage SSE-C.
+
+### Generating the encryption key
+
+With the following commands, you will create a key in the Key Manager, generate the encryption key and then store it in the Secret Manager.
+
+```bash
+KEY_ID=$(scw keymanager key create -o template="{{.ID}}")
+scw keymanager key generate-data-key "$KEY_ID" -o json | jq -r .plaintext | base64 -d > ssec.key
+SECRET_ID=$(scw secret secret create name=ssec-key path=/keys -o template="{{.ID}}")
+scw secret version create "$SECRET_ID" data="@ssec.key"
+```
+
+### Encryption key and digest preparation
+
+First you access the secret version to get the encryption key, then you need to encode it to base64 and calculate the digest of the key, also encoded in base64.
+
+```bash
+scw secret version access "$SECRET_ID" revision=latest raw=true > ssec.key
+ENCRYPTION_KEY=$(cat ssec.key | base64)
+KEY_DIGEST=$(openssl dgst -md5 -binary ssec.key | base64)
+```
+
+<Message type="important">
+If you delete the secret containing the encryption key, you also lose the data encrypted with it, as you will not be able to perform `GET` operations on encrypted objects without the corresponding key.
+</Message>
+
+### Upload and download object with SSE-C
+
+Run the command below to upload an object and encrypt it. Make sure to replace `<your-bucket-name>`, `<your-object-key>`, and `<path/to/your/file>` with the correct values.
+
+```bash
+aws s3api put-object \
+  --bucket <your-bucket-name> \
+  --key <your-object-key> \
+  --body <path/to/your/file> \
+  --sse-customer-algorithm AES256 \
+  --sse-customer-key $ENCRYPTION_KEY \
+  --sse-customer-key-md5 $KEY_DIGEST
+```
+
+Run the command below to download the previously uploaded object and decrypt it. Make sure to replace `<your-bucket-name>`, `<your-object-key>`, and `<path/to/destination/file>` with the correct values.
+
+```bash
+aws s3api get-object \
+  --bucket <your-bucket-name> \
+  --key <your-object-key> \
+  <path/to/destination/file> \
+  --sse-customer-algorithm AES256 \
+  --sse-customer-key $ENCRYPTION_KEY \
+  --sse-customer-key-md5 $KEY_DIGEST
+```