--- title: Steps for Encryption --- E2E Networks provides two methods to secure your objects in Object Storage using encryption: - **E2E Managed Encryption** – Encryption is handled automatically by E2E Networks. - **User-Managed Keys** – User manage and apply your own encryption keys using the **MinIO client (mc)**. --- ## Option 1: Enable E2E Managed Encryption (Server-Side) E2E Managed Encryption allows you to encrypt your bucket and its contents automatically. E2E Networks handles key management and encryption at rest. ### Steps to Enable E2E Managed Encryption 1. **Navigate to Object Storage** - Go to **Object Storage** under Storage section from the **MyAccount** dashboard. ![Get Started With Object Storage](images/object-storage.png) 2. **Create a New Bucket** - Click the **Add Bucket** button. ![Create a New Bucket](images/addbucket.png) - The **Enable Encryption** checkbox will be **checked by default**. - Proceed to create the bucket. It will now be encrypted by **E2E Managed encryption** service. ![Enable Encryption](images/enable-encryption-button.png) 3. **Generate Access Credentials** - Click on **Manage Access Keys**. ![Manage Access Key](images/manage-access-key.png) - Then click **Create Access Key**. ![Create Access Key](images/create-access-key.png) - Enter a name and click **Generate Keys**. ![Generate Access key](images/generate-keys.png) 4. **Configure Credentials Locally** - Use the command shown in the UI to configure your credentials locally using the MinIO client: ```bash mc alias set https:// ``` *(This command is pre-filled in the UI for your convenience.)* ![Command to add alias](images/command.png) 5. **Attach Access Key to the Bucket** - Return to your **Buckets** list. - Open the relevant bucket and go to the **Permissions** tab. - Click **Attach Access Key**. ![Attach Access Key](images/attach-access-keys.png) - Select the newly created access key. - Choose **Bucket Admin** to allow full permissions. ![Bucket access](images/bucket-admin.png) 6. **Upload an Object** - Go to the **Objects** tab inside the bucket. - Click the **Upload** button and select the file you want to upload. ![Upload Objects](images/upload-button.png)P 7. **Verify Encryption Status** - Run the following command to verify encryption on the uploaded file: ```bash mc stat // ``` - The output will look like this. ![Encryption Status](images/encryption-status.png) --- ## Option 2: Encryption through User Managed Keys You can also manage encryption yourself using your own passphrases or keys. ### Client-Side Steps Follow these steps to encrypt objects **before uploading** them: 1. **Generate a 256-bit Hex Encryption Key** ```bash openssl rand -base64 32 | base64 -d | xxd -p -c 32 ``` 2. **Upload the Object with Encryption** ```bash mc cp / --enc-c "// =" ``` #### Parameters - ``: Path to the file you wish to upload. _Example_: `seed_data.json` - ``: The alias configured in your MinIO Client for the storage. _Example_: `enctest` - ``: Name of your target bucket. _Example_: `my-bucket` - ``: Desired name for the object in the bucket. _Example_: `seed_data.json` - ``: A 64-character hexadecimal string representing your 256-bit encryption key. _Example_: `4a6566656b656e6472616b61737361636b656e6372797074696f6e6b6579733031323334` --- ### Important Note - All future operations on this object — such as **download**, **viewing metadata** — will require the **same encryption key**, provided in this format: ```bash --enc-c "/=" ``` - **Delete operations** are not restricted by encryption keys. - **Data Recovery Warning**: If the encryption key is lost, data will be permanently inaccessible. Recovery is not possible without the original encryption key. - **UI Action Error**: Trying to do operations such as download/create presigned-URL from UI on objects encrypted with User Managed Keys will result in an error. :::tip Note E2E Managed Encryption settings can be overridden by User Managed Keys Encryption during individual object upload through Minio Client (mc cli). ::: ---