SSE-C: Server-Side Encryption with Customer-Provided Encryption Keys
In SSE-C, the client supplies the secret key needed to read and write data.
| ![[Note]](../common/images/admon/note.png) | Note | 
|---|---|
| SSE-C integration with Hadoop is still stabilizing; issues related to it are still surfacing. It is already clear that SSE-C with a common key must be used exclusively within a bucket if it is to be used at all. This is the only way to ensure that path and directory listings do not fail with "Bad Request" errors. | 
Enabling SSE-C
To use SSE-C, the configuration option
          fs.s3a.server-side-encryption-algorithm must be set to
          SSE-C, and a base-64 encoding of the key placed in
          fs.s3a.server-side-encryption.key.
<property> <name>fs.s3a.server-side-encryption-algorithm</name> <value>SSE-C</value> </property> <property> <name>fs.s3a.server-side-encryption.key</name> <value>RG8gbm90IGV2ZXIgbG9nIHRoaXMga2V5IG9yIG90aGVyd2lzZSBzaGFyZSBpdA==</value> </property>
This property can be set in a Hadoop JCEKS credential file, which is significantly more secure than embedding secrets in the XML configuration file.

