Server-Side Encryption

Server-side encryption (SSE) protects your data by encrypting it before it is stored on disk by Backblaze B2 Cloud Storage.

You can access files that are encrypted using server-side encryption using the same API calls as other Backblaze B2 files (using either the Native API or the S3-Compatible API).

There is no extra cost to encrypt your data, However, you are responsible for the normal charges that are associated with storing the encrypted file. There are nominal charges for using the Class C API calls to enable, disable, or read encryption on a bucket.

You must create a new application key to view default encryption settings on a bucket. However, you can use your existing application key to upload or download encrypted files.

For information about how encryption works for Backblaze Computer Backup, see How to Make Strong Encryption Easy to Use.

For an example implementation of encryption with Backblaze B2, see this guide on GitHub.

Server-Side Encryption Options

You have two options for encrypting data with Backblaze B2 server-side encryption: SSE-B2 and SSE-C. Both options use an extensively tested and widely trusted block cipher, 256-bit Advanced Encryption Standard (AES-256), to encrypt the data at rest.

From a functionality standpoint, SSE-B2 and SSE-C with Backblaze B2 work the same way as they do with Amazon AWS. Files are encrypted with AES-256.

The APIs allow you to enable encryption (SSE-B2 or SSE-C) at an individual file level. After encryption (SSE-B2) is enabled (using the API or the Backblaze web UI) on a bucket, only the files that are uploaded into (or copied into) that bucket from that point forward are encrypted. Files that are in the bucket before encryption is enabled are not encrypted.

Server-Side Encryption with Backblaze-Managed Keys (SSE-B2)

The data of each file that is stored using Server-Side Encryption with Backblaze-Managed Keys (SSE-B2) is encrypted using a unique encryption key; each file’s encryption key is additionally encrypted with a global key before being saved to decrypt the data when each file is accessed.

After encryption (SSE-B2) is enabled on a bucket (using the API or the Backblaze web UI), only the files that are uploaded or copied into that bucket from that point forward are encrypted. Files that are in the bucket before encryption is enabled are not encrypted. If encryption is disabled for that bucket at a later date, files uploaded or copied into that bucket from that point forward will be unencrypted. Files encrypted when the feature was enabled will remain encrypted.

Currently, the Backblaze B2 CLI and the the B2 Python SDK support the SSE-B2 mode for enabling and disabling encryption.

Server-Side Encryption with Customer-Managed Keys (SSE-C)

Using Server-Side Encryption with Customer-Managed Keys (SSE-C) with your B2 files means the data of each file is encrypted with a unique encryption key; each file’s encryption key is additionally encrypted with the AES-256 encryption key that you manage. Backblaze B2 manages the encryption process using the key that you provide when uploading or accessing each file.

Enabling and Disabling Server-Side Encryption

Using the Backblaze B2 APIs (either the B2 Native API or the S3-Compatible API) or the Backblaze web UI, you can enable encryption when you create a bucket or at a later date. 

You can disable encryption by copying the file (using the copy file API operation) into the same bucket and deleting the encrypted copy.

Encrypted files are indicated by a lock icon in the Browse Files page within the Backblaze web UI. Lock icons with the letter ‘C’ indicate the files that are encrypted by SSE-C.

Headers and Values

Additional headers are not required to encrypt a file when the bucket that you are uploading into has default encryption turned on. If a bucket has default encryption disabled, then an additional header is required to upload a file and have it encrypted with SSE-B2 encryption.

To request SSE-B2 encryption for a file using the B2 Native API, include the header X-Bz-Server-Side-Encryption with the value AES256.

To request SSE-C encryption for a file using the B2 Native API, include the headers X-Bz-Server-Side-Encryption-Customer-Algorithm (value AES256), X-Bz-Server-Side-Encryption-Customer-Key (value <base64-encoded AES-256 encryption key>), and X-Bz-Server-Side-Encryption-Customer-Key-Md5 (value <base64-encoded MD5 digest of the key>).

Downloading Encrypted Files

At this time, Backblaze has taken a very literal interpretation to data encrypted “at rest.” Downloading files and creating snapshots involve additional servers aside from those used to store data at rest. On those servers, the data would have to be in an unencrypted state and this requires them to have access to the encryption key.

If you attempt to download an SSE-B2-encrypted file with an SSE-C encryption key, a 400 error is returned. If you attempt to download an SSE-C encrypted file with the wrong encryption key, a 403 error is returned.

Security Details

With either SSE-B2 or SSE-C, Backblaze B2 Server-Side Encryption encrypts your file data at rest but not the file metadata. After a file has been uploaded, the only time the data is decrypted is when a client accesses the file (e.g., downloading or copying the file via API calls).

If you use SSE-C to encrypt a file, then you must manage and protect your encryption keys yourself. Backblaze does not store the encryption keys for SSE-C files; instead, it stores a secure hash value that is used to validate future requests, but which cannot be used to derive the original encryption key or decrypt your file data. As a result, if you lose the encryption key for a file encrypted with SSE-C, Backblaze will not be able to recover your key or decrypt the data.

To protect the confidentiality of your data, files encrypted with server-side encryption are not currently available for direct download via the Backblaze B2 Browse Files page or included in snapshots created from that page.

Note that you must use API version v2 or later in b2_list_file_names and b2_list_file_versions in order to view server-side encryption information.

Default Bucket Encryption

If you want server-side encryption for all of the files that are uploaded to a bucket, you can enable SSE-B2 encryption as a default setting for the bucket. All uploads to that bucket, from the time default encryption is enabled onward, will then be encrypted with SSE-B2 by default unless you explicitly specify SSE-C encryption for a given file at upload time. Note that existing files in the bucket are not affected by default bucket encryption settings.

Permission to read and write default bucket encryption settings are determined by the readBucketEncryption and writeBucketEncryption application key capabilities, respectively. You can enable or disable default bucket encryption using either the Backblaze web UI or API calls.