Amazon S3: Client-Side Object Encryption with SafeNet ProtectApp


SafeNet ProtectApp, when integrated with AWS SDKs, provides customer controlled client-side object encryption for storage in Amazon’s Simple Storage Service (S3). ProtectApp’s Java API and AWS SDK for Java interoperate to form an encryption client that provides keys as input to applications in order to encrypt an object before loading it to storage.
 
SafeNet KeySecure—either on-premises or as a hardened virtual appliance run in an AWS EC2 environment—work with the SafeNet/AWS encryption client to store the cryptographic keys and offload cryptographic functions in order to encrypt data prior to archiving in S3 without impacting performance. The SafeNet/AWS encryption client gives customers control of their data by encrypting it within the application before it is uploaded to S3. AWS customers can ensure their data will be unreadable by unauthorized users since encryption occurs in the customer’s control before AWS storage receives the data and the KeySecure appliance protects the corresponding encryption keys. In this setup, AWS  administrators can manage the storage environment but never have access to cleartext data nor the keys to render the data as cleartext.
 

Resources and Additional Information:

AWS S3:SafeNet ProtectApp and KeySecure Solution Brief