Server-Side Encryption
FlexFS supports S3 server-side encryption (SSE) for block data stored in object storage. When enabled, the storage provider encrypts blocks at rest using its own key management.
Enabling SSE
Section titled “Enabling SSE”Server-side encryption is enabled via the --sse flag on the mount client:
mount.flexfs start my-volume /mnt/data --sseOr via fstab mount options:
my-volume /mnt/data flexfs _netdev,nofail,sse 0 0When SSE is enabled, flexFS includes the x-amz-server-side-encryption: AES256 header on all PUT requests to the block store. The storage provider (S3, GCS in S3-compatibility mode, or S3-compatible stores) handles key management and encryption transparently.
How it works
Section titled “How it works”| Step | What happens |
|---|---|
| Write | Mount client uploads a block with the SSE header. The storage provider encrypts the block before writing to disk. |
| Read | The storage provider decrypts the block transparently before returning it. No special header is needed on GET requests. |
SSE is transparent to the application — no changes are needed beyond enabling the flag.
SSE with proxy servers
Section titled “SSE with proxy servers”When proxy servers are in use, the SSE header is passed through from the proxy to the underlying object storage. Blocks cached on the proxy disk are stored in their plaintext form (after any client-side E2E decryption, if applicable). SSE applies only to the blocks as stored in the object storage bucket.
SSE vs. end-to-end encryption
Section titled “SSE vs. end-to-end encryption”| Feature | Server-Side Encryption (SSE) | End-to-End Encryption (E2E) |
|---|---|---|
| Edition | All editions | Enterprise only |
| Who encrypts | Storage provider | Mount client |
| Key management | Storage provider | User-provided secret |
| Data encrypted at | Object storage layer | Before leaving mount client |
| Metadata encrypted | No | Yes |
| Protection from storage provider | No (provider has keys) | Yes (provider never sees plaintext) |
Storage provider support
Section titled “Storage provider support”| Provider | SSE support | Notes |
|---|---|---|
| Amazon S3 | Yes | SSE-S3 (AES256) |
| Google Cloud Storage | Yes | Via S3-compatibility API |
| S3-compatible stores (MinIO, Wasabi, Ceph RGW) | Varies | Depends on the implementation |
| Azure Blob Storage | N/A | Azure encrypts at rest by default |
| Oracle Cloud Infrastructure | N/A | OCI encrypts at rest by default |
Next steps
Section titled “Next steps”- End-to-end encryption — client-side AES-256 encryption (Enterprise)
- TLS certificates — in-transit encryption
- Access Control — POSIX permissions and ACLs