How to Use Server-Side Encryption on Impossible Cloud Storage
Encrypting objects at rest with SSE-S3 (AES256) and bucket default encryption
Overview
Impossible Cloud Storage supports server-side encryption with Amazon S3-managed keys (SSE-S3). When you enable SSE-S3, the storage service encrypts each object with AES-256 before writing it to disk. Decryption happens automatically when you download the object.
You can enable encryption in two ways:
- Per-object: Add the
--server-side-encryption AES256flag to each upload command. - Bucket default: Set an encryption configuration on the bucket so all new uploads are encrypted automatically.
Both methods use the same AES-256 algorithm. The only difference is whether you specify encryption on every request or let the bucket configuration handle it.
Prerequisites
- An active Impossible Cloud Storage account with access keys
- AWS CLI v2 installed and configured with your Impossible Cloud credentials
- A bucket in one of the supported regions
If you need help setting up the AWS CLI, see the CLI User Guide.
Encrypt a single object on upload
Add the --server-side-encryption AES256 flag to your put-object command:
aws s3api put-object \
--bucket my-bucket \
--key documents/report.pdf \
--body ./report.pdf \
--server-side-encryption AES256 \
--endpoint-url https://eu-central-2.storage.impossibleapi.net \
--region eu-central-2
A successful response includes the encryption confirmation:
{
"ETag": "\"a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4\"",
"ServerSideEncryption": "AES256"
}
If the response contains "ServerSideEncryption": "AES256", the object was encrypted before storage.
Encrypt objects during copy
You can also apply encryption when copying an existing object:
aws s3api copy-object \
--bucket my-bucket \
--key documents/report-copy.pdf \
--copy-source my-bucket/documents/report.pdf \
--server-side-encryption AES256 \
--endpoint-url https://eu-central-2.storage.impossibleapi.net \
--region eu-central-2
The response confirms encryption on the new copy:
{
"ServerSideEncryption": "AES256",
"CopyObjectResult": {
"ETag": "\"a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4\"",
"LastModified": "2026-02-24T10:23:47+00:00"
}
}
Encrypt objects during multipart upload
For large file uploads, specify encryption when you create the multipart upload:
aws s3api create-multipart-upload \
--bucket my-bucket \
--key backups/large-archive.tar.gz \
--server-side-encryption AES256 \
--endpoint-url https://eu-central-2.storage.impossibleapi.net \
--region eu-central-2
The encryption applies to all parts uploaded within that session. You do not need to repeat the flag for each upload-part call.
Set bucket default encryption
Instead of specifying encryption on every upload, you can configure the bucket to encrypt all new objects automatically.
Enable default encryption
aws s3api put-bucket-encryption \
--bucket my-bucket \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}' \
--endpoint-url https://eu-central-2.storage.impossibleapi.net \
--region eu-central-2
After this, every object uploaded to the bucket is encrypted with AES-256, even if the upload request does not include the --server-side-encryption flag.
Please note that existing objects in the bucket will not be encrypted retrospectively.
Verify the encryption configuration
aws s3api get-bucket-encryption \
--bucket my-bucket \
--endpoint-url https://eu-central-2.storage.impossibleapi.net \
--region eu-central-2
Expected output:
{
"ServerSideEncryptionConfiguration": {
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}
}
Remove default encryption
aws s3api delete-bucket-encryption \
--bucket my-bucket \
--endpoint-url https://eu-central-2.storage.impossibleapi.net \
--region eu-central-2
After removal, new uploads are no longer encrypted by default. Objects that were already encrypted remain encrypted.
Unsupported encryption types
Impossible Cloud Storage supports only SSE-S3 (AES256). Two other encryption types defined in the S3 specification are not supported:
SSE-C (customer-provided keys)
SSE-C lets you supply your own encryption key with each request. By March 2026, Impossible Cloud Storage does not support this method.
If you need to manage your own encryption keys, use client-side encryption instead. Encrypt the data before uploading it, and decrypt it after downloading. Your backup software or SDK handles the key management in this case.
SSE-KMS (AWS Key Management Service)
SSE-KMS uses AWS KMS to manage encryption keys. Impossible Cloud Storage does not support KMS.
Do not set aws:kms as bucket default encryption. The configuration is accepted, but all subsequent uploads to the bucket fail with 500 Internal Server Error until you revert the setting to AES256 or delete the encryption configuration.
Supported encryption summary
| Encryption Type | Supported | What Happens |
|---|---|---|
| SSE-S3 (AES256) | Yes | Objects encrypted at rest with AES-256. Decrypted on download. |
| Bucket default (AES256) | Yes | All new uploads auto-encrypted without per-request flags. |
| SSE-C (customer keys) | No | Not supported |
| SSE-KMS | No | Not supported |
| Client-side encryption | Yes (your responsibility) | Encrypt before upload, decrypt after download. |
Known differences from AWS S3
If you are migrating from AWS S3 or using tools that check encryption headers, be aware of these differences:
- HEAD and GET responses do not include the
x-amz-server-side-encryptionheader, even for encrypted objects. - Complete Multipart Upload responses do not include the
ServerSideEncryptionfield. The individual parts are still encrypted.
These differences do not affect data security. They may affect monitoring tools or scripts that check for the encryption header to verify compliance.
Frequently asked questions
What encryption types does Impossible Cloud Storage support?
Impossible Cloud Storage supports SSE-S3 with AES-256 encryption. This covers both per-object encryption and bucket default encryption. SSE-C and SSE-KMS are not supported.
Is my data encrypted at rest even without SSE?
Yes. Impossible Cloud encrypts all data at the infrastructure level. SSE-S3 adds an additional application-level encryption layer on top of that.
Why do I get a 501 error when uploading with SSE-C?
Impossible Cloud Storage does not support customer-provided encryption keys (SSE-C). The 501 Not Implemented response confirms this. Remove the x-amz-server-side-encryption-customer-* headers from your request and use --server-side-encryption AES256 instead.
Why do I get a 500 error when uploading with SSE-KMS?
SSE-KMS is not supported. The 500 Internal Server Error response occurs when the API receives the aws:kms encryption type. Switch to AES256 or remove the encryption header.
Why do I get a 500 error after setting bucket default encryption?
If you set the bucket default encryption to aws:kms, all uploads fail with 500 Internal Server Error. This happens because KMS is not supported. To fix this, revert the encryption setting to AES256:
aws s3api put-bucket-encryption \
--bucket my-bucket \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}' \
--endpoint-url https://eu-central-2.storage.impossibleapi.net \
--region eu-central-2
Or delete the encryption configuration entirely:
aws s3api delete-bucket-encryption \
--bucket my-bucket \
--endpoint-url https://eu-central-2.storage.impossibleapi.net \
--region eu-central-2
Can I use client-side encryption with Impossible Cloud?
Yes. You can encrypt data before uploading it to Impossible Cloud Storage. The service stores the encrypted ciphertext and returns it as-is on download. Key management is your responsibility. Most backup tools (Veeam, Acronis, MSP360) offer built-in client-side encryption options.