Server-Side Encryption

FlexFS supports S3 server-side encryption (SSE) for block data stored in object storage. When enabled, the storage provider encrypts blocks at rest using its own key management.

Enabling SSE

Server-side encryption is enabled via the --sse flag on the mount client:

mount.flexfs start my-volume /mnt/data --sse

Or via fstab mount options:

my-volume  /mnt/data  flexfs  _netdev,nofail,sse  0 0

When SSE is enabled, flexFS includes the x-amz-server-side-encryption: AES256 header on all PUT requests to the block store. The storage provider (S3, GCS in S3-compatibility mode, or S3-compatible stores) handles key management and encryption transparently.

How it works

| Step | What happens | |---|---| | Write | Mount client uploads a block with the SSE header. The storage provider encrypts the block before writing to disk. | | Read | The storage provider decrypts the block transparently before returning it. No special header is needed on GET requests. |

SSE is transparent to the application — no changes are needed beyond enabling the flag.

SSE with proxy servers

When proxy servers are in use, the SSE header is passed through from the proxy to the underlying object storage. Blocks cached on the proxy disk are stored in their plaintext form (after any client-side E2E decryption, if applicable). SSE applies only to the blocks as stored in the object storage bucket.

SSE vs. end-to-end encryption

| Feature | Server-Side Encryption (SSE) | End-to-End Encryption (E2E) | |---|---|---| | Edition | All editions | Enterprise only | | Who encrypts | Storage provider | Mount client | | Key management | Storage provider | User-provided secret | | Data encrypted at | Object storage layer | Before leaving mount client | | Metadata encrypted | No | Yes | | Protection from storage provider | No (provider has keys) | Yes (provider never sees plaintext) |

Tip

For maximum security, enable both E2E encryption and SSE. Data is encrypted client-side first, then encrypted again by the storage provider.

Storage provider support

| Provider | SSE support | Notes | |---|---|---| | Amazon S3 | Yes | SSE-S3 (AES256) | | Google Cloud Storage | Yes | Via S3-compatibility API | | S3-compatible stores (MinIO, Wasabi, Ceph RGW) | Varies | Depends on the implementation | | Azure Blob Storage | N/A | Azure encrypts at rest by default | | Oracle Cloud Infrastructure | N/A | OCI encrypts at rest by default |

Next steps

• End-to-end encryption — client-side AES-256 encryption (Enterprise)
• TLS certificates — in-transit encryption
• Access Control — POSIX permissions and ACLs