Server-side encryption
Encrypting objects is optional with Telnyx Storage. By default, no encryption will be applied to the objects you upload.
Server-side encryption with Telnyx Managed Keys
To encrypt your object, pass the x-amz-server-side-encryption: 1 header in the request while uploading the object. An example of a full API request is as follows:
curl --location --request PUT 'https://storage.telnyx.com/{{bucket_name}}/{{object_name}}' \
--header 'x-amz-server-side-encryption: 1' \
--header 'Content-Type: application/octet-stream' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential={{your_telnyx_api_key_here}}/20221006/us-east-1/execute-api/aws4_request, SignedHeaders=content-type;host, Signature=9d7d89295a706559c670a03959d2429b4026eb20eb38a378d9e1e112e068fc81' \
--data-binary '@/{{file_directory_path}}'Note: After pasting the above content, Kindly check and remove any new line added
By passing the x-amz-server-side-encryption: 1 header in the request, Telnyx will generate a unique encryption key based on AES-256 standards. The object will be encrypted using that unique key as it is streamed to Telnyx. If there is an issue with encrypting the object, the request will fail and you will have to retry uploading the object.
When you eventually want to retrieve your object, Telnyx will decrypt the object so that it is returned to you in its original state.
The encryption keys are managed by Telnyx, and no user (including yourself) will have access to the keys.
Server-side encryption with Client Managed Keys
Telnyx Storage also provides you with the flexibility to protect your data using your own encryption keys.
To encrypt your object using your own keys, you will need to include 3 headers in your request:
| Request Header | Description |
| `x-amz-server-side-encryption-customer-algorithm` | Defines the encryption method. Only `aes256` is supported |
| `x-amz-server-side-encryption-customer-key` | Where you specify your base64 encoded encryption key |
| `x-amz-server-side-encryption-key-MD5` | MD5 digest of your base64 encoded encryption key |
An example of a full API request is as follows:
curl --location --request PUT 'https://storage.telnyx.com/:bucket_name/:object_name' \
--header 'x-amz-server-side-encryption-customer-algorithm: aes256' \
--header 'x-amz-server-side-encryption-customer-key: {{your_base64_encoded_encryption_key}};' \
--header 'x-amz-server-side-encryption-key-MD5: {{MD5_digest_of_your_base64_encryption_key}};' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential={{your_telnyx_api_key_here}}/20230127/test/execute-api/aws4_request, SignedHeaders=host;x-amz-server-side-encryption-customer-algorithm;x-amz-server-side-encryption-customer-key;x-amz-server-side-encryption-key-md5, Signature=none' \
--header 'Content-Type: text/plain' \
--data-binary '@/{{file_directory_path}}'Note: After pasting the above content, Kindly check and remove any new line added
Telnyx will encrypt your object using your specified encryption key. To retrieve and decrypt your object, you will need to provide the same three encryption headers in the request. Telnyx will not keep any historical record of the encryption keys that you provided.