Server-side encryption (SSE) protects your data by encrypting it before it is stored on disk by Backblaze B2 Cloud Storage.
There is no extra cost to encrypt your data, However, you are responsible for the normal charges that are associated with storing the encrypted file. There are nominal charges for using the Class C API calls to enable, disable, or read encryption on a bucket.
For information about how encryption works for Backblaze Computer Backup, see How to Make Strong Encryption Easy to Use.
For an example implementation of encryption with Backblaze B2, see this guide on GitHub.
Server-Side Encryption Options
You have two options for encrypting data with Backblaze B2 server-side encryption: SSE-B2 and SSE-C. Both options use an extensively tested and widely trusted block cipher, 256-bit Advanced Encryption Standard (AES-256), to encrypt the data at rest.
From a functionality standpoint, SSE-B2 and SSE-C with Backblaze B2 work the same way as they do with Amazon AWS. Files are encrypted with AES-256.
The APIs allow you to enable encryption (SSE-B2 or SSE-C) at an individual file level. After encryption (SSE-B2) is enabled (using the API or the Backblaze web UI) on a bucket, only the files that are uploaded into (or copied into) that bucket from that point forward are encrypted. Files that are in the bucket before encryption is enabled are not encrypted.
Server-Side Encryption with Backblaze-Managed Keys (SSE-B2)
The data of each file that is stored using Server-Side Encryption with Backblaze-Managed Keys (SSE-B2) is encrypted using a unique encryption key; each file’s encryption key is additionally encrypted with a global key before being saved to decrypt the data when each file is accessed.
After encryption (SSE-B2) is enabled on a bucket (using the API or the Backblaze web UI), only the files that are uploaded or copied into that bucket from that point forward are encrypted. Files that are in the bucket before encryption is enabled are not encrypted. If encryption is disabled for that bucket at a later date, files uploaded or copied into that bucket from that point forward will be unencrypted. Files encrypted when the feature was enabled will remain encrypted.
Server-Side Encryption with Customer-Managed Keys (SSE-C)
Using Server-Side Encryption with Customer-Managed Keys (SSE-C) with your B2 files means the data of each file is encrypted with a unique encryption key; each file’s encryption key is additionally encrypted with the AES-256 encryption key that you manage. Backblaze B2 manages the encryption process using the key that you provide when uploading or accessing each file.
Enabling and Disabling Server-Side Encryption
You can disable encryption by copying the file (using the copy file API operation) into the same bucket and deleting the encrypted copy.
Encrypted files are indicated by a lock icon in the Browse Files page within the Backblaze web UI. Lock icons with the letter ‘C’ indicate the files that are encrypted by SSE-C.
Headers and Values
Additional headers are not required to encrypt a file when the bucket that you are uploading into has default encryption turned on. If a bucket has default encryption disabled, then an additional header is required to upload a file and have it encrypted with SSE-B2 encryption.
To request SSE-B2 encryption for a file using the B2 Native API, include the header
X-Bz-Server-Side-Encryption with the value
To request SSE-C encryption for a file using the B2 Native API, include the headers
<base64-encoded AES-256 encryption key>), and
<base64-encoded MD5 digest of the key>).
Downloading Encrypted Files
At this time, Backblaze has taken a very literal interpretation to data encrypted “at rest.” Downloading files and creating snapshots involve additional servers aside from those used to store data at rest. On those servers, the data would have to be in an unencrypted state and this requires them to have access to the encryption key.
If you attempt to download an SSE-B2-encrypted file with an SSE-C encryption key, a 400 error is returned. If you attempt to download an SSE-C encrypted file with the wrong encryption key, a 403 error is returned.
With either SSE-B2 or SSE-C, Backblaze B2 Server-Side Encryption encrypts your file data at rest but not the file metadata. After a file has been uploaded, the only time the data is decrypted is when a client accesses the file (e.g., downloading or copying the file via API calls).
If you use SSE-C to encrypt a file, then you must manage and protect your encryption keys yourself. Backblaze does not store the encryption keys for SSE-C files; instead, it stores a secure hash value that is used to validate future requests, but which cannot be used to derive the original encryption key or decrypt your file data. As a result, if you lose the encryption key for a file encrypted with SSE-C, Backblaze will not be able to recover your key or decrypt the data.
To protect the confidentiality of your data, files encrypted with server-side encryption are not currently available for direct download via the Backblaze B2 Browse Files page or included in snapshots created from that page.
Default Bucket Encryption
If you want server-side encryption for all of the files that are uploaded to a bucket, you can enable SSE-B2 encryption as a default setting for the bucket. All uploads to that bucket, from the time default encryption is enabled onward, will then be encrypted with SSE-B2 by default unless you explicitly specify SSE-C encryption for a given file at upload time. Note that existing files in the bucket are not affected by default bucket encryption settings.
Permission to read and write default bucket encryption settings are determined by the
writeBucketEncryption application key capabilities, respectively. You can enable or disable default bucket encryption using either the Backblaze web UI or API calls.