Wasabi encrypts all data stored at rest regardless of the requested encryption. The system will use any caller provided encryption keys when given, or generate a random key encryption key for each object if no customer key is provided. If the customer provides the encryption key, similar to AWS S3, Wasabi will not keep a copy of the customer key in the metadata and the caller must provide the encryption key to read the data. No action on the part of the caller is needed if Wasabi provides the encryption key.
The caller may provide the encryption key using the headers x-amz-server-side-encryption- customer-algorithm, x-amz-server-side-encryption-customer-key, and x-amz-server-side- encryption-customer-key-MD5. These parameters work identical to AWS S3.
Wasabi does not support a key management service. Hence, the “x-amz-server-side-encryption” is not supported along with all the “aws:kms” functionality.
Wasabi stores an MD5 for the data that is always the uploaded data regardless of server-side encryption.