Server-side Encryption: Keys to More Protection

Data is the digital world’s most precious resource. Storing and using it is increasingly critical for unlocking business value and more. Yet with increased value comes increased risk. To help mitigate this risk, Backblaze B2 Cloud Storage now supports server-side encryption (SSE) using the 256-bit Advanced Encryption Standard (AES-256), with multiple key management options.

In practical terms, SSE offers an added layer of protection for data, making it very difficult for an attacker to actually make use of any ill-gotten material. No encryption key means no ability to preview or read improperly obtained data.

For some institutions, encryption at rest is also mandatory to satisfy relevant compliance requirements and/or industry standards, such as the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS). But SSE can be beneficial to pretty much any organization seeking greater security for their precious data.

Parham Azimi, CEO and Co-founder of cloud media management software iconik, sums it up nicely: “With so much of our work and life in the cloud, security matters more than ever before. To be secure, we have to be proactive. So I’m excited that Backblaze SSE can seamlessly add an extra layer of protection. This is an easy win for our users, with great benefits.”

This is an easy win for our users, with great benefits.”—Parham Azimi, CEO and Co-founder, iconik

Different Strokes for Different Folks

You can protect your data at rest in Backblaze B2 by using different modes of SSE, depending on your use case:

  • SSE-B2. Backblaze manages the data and the encryption keys, similar to Amazon S3’s SSE-S3 offering. This approach is well suited to organizations that wish for their sensitive information to be encrypted in their storage buckets but do not wish to take on the risk or responsibility associated with managing encryption keys.
  • SSE-C. Backblaze encrypts each file using a unique encryption key that the customer manages. This approach is well suited to organizations that need their object data to be encrypted at rest while also maintaining encryption key control.

Note: We do not support SSE-KMS at this time. If this is something you need given the nuances of your business and workflows, definitely let us know.

Regardless of which mode you choose, you will get file data protection at AES-256, the block cipher seen as providing the strongest level of commercially available encryption. There is no additional cost for enabling either SSE mode, but API calls associated with SSE that are Class C transactions will incur standard fees.

How to Engage SSE in Backblaze B2

SSE is accessible to B2 Cloud Storage users via Backblaze S3 Compatible API calls, Backblaze B2 Native API calls, and the web UI. API users will want to reference our Backblaze documentation and FAQ for detailed guidance on enabling and employing the service most right for you.

The web application provides an easy, intuitive interface, including the following functions:

    • New bucket creation offers a choice to enable encryption (SSE-B2) as a default for all data uploaded to the bucket.

    • Existing buckets can be switched to encryption (SSE-B2) enabled as a default for all data subsequently uploaded to the bucket.

    • File lists display a lock icon next to each SSE-B2 protected file and a lock+C icon next to each SSE-C protected file.

The Backblaze B2 CLI and Python SDK now also support SSE-B2; coming next will be Backblaze B2 CLI and Python SDK support for SSE-C, and Java SDK support for both SSE modes.

A Few Important Notes as You Employ SSE

  • SSE is disabled by default on new buckets, to give you control over its use. Your files will not be encrypted unless and until you enable SSE.
  • Keep in mind that encryption isn’t applied to files held in a bucket prior to SSE enablement on that bucket. To encrypt files that were held in a bucket prior to SSE enablement, you’ll need to use the Copy API call to make duplicate files for encryption.
  • SSE-B2 and SSE-C encrypted files—individual and batch zipped—may not be downloaded from the web UI.

Getting Started Today

If SSE is right for your use case, we’re happy to help. Existing Backblaze B2 customers can dig in immediately. People new to Backblaze will want to first create a Backblaze B2 account. There’s no time like the present to consider if and how an added layer of security may be right for your current or future needs.


About Jeremy Milk

Jeremy Milk is a storybuilder who heads the Backblaze Product Marketing team. He's spent more than two decades honing his craft in product and consumer goods marketing leadership roles at companies including Intuit, WePay (acquired by JPMorgan Chase), and The Clorox Company. Outside the office, he can often be found near a soccer field, on a running trail, or fueling on coffee and tacos. Follow him on LinkedIn or Twitter.