How To Set Up Server Side Encryption For AWS KMS

ObjectiveFS provides client-side encryption, which encrypts the data on your server before it is sent to the object store. The data stays encrypted in transit and at rest. The client-side encryption is always enabled.

For enterprise users, ObjectiveFS also supports server-side encryption on AWS using Amazon S3-managed encryption keys (SSE-S3) and AWS KMS-managed encryption keys (SSE-KMS). This guide describes how to set up ObjectiveFS to run with AMS KMS.

What You Need


  1. Install stunnel

    $ yum install stunnel

  2. Edit /etc/stunnel/stunnel.conf with the following 4 lines:

    accept=localhost:<port>   ## e.g. localhost:8086
    connect=<endpoint>:443    ## e.g.
    For list of endpoints, see here

  3. Run stunnel on your command line (or using your init tools)

    $ stunnel

  4. In /etc/objectivefs.env, create a file named AWS_SERVER_SIDE_ENCRYPTION with content as:

    • aws:kms (if using the default KMS key)

      $ cat /etc/objectivefs.env/AWS_SERVER_SIDE_ENCRYPTION

    • <your kms key> (if using a specific KMS key, e.g. arn:aws:kms:12345/6789)

      $ cat /etc/objectivefs.env/AWS_SERVER_SIDE_ENCRYPTION

  5. In /etc/objectivefs.env, create a file named http_proxy with content as http://localhost:<port> (e.g. http://localhost:8086)

  6. Create a filesystem (one-time only) and mount the filesystem as usual

    $ sudo mount.objectivefs create mybucket
    $ sudo mount.objectivefs mybucket /ofs


by ObjectiveFS staff, January 6, 2016
ObjectiveFS is a shared file system for OS X and Linux that automatically scales and gives you scalable cloud storage. If you have questions or article idea suggestions, please email us at