Although the gateway comes with native
ChaCha20 encryption to make sure files are secured in transit and at rest, it is possible to add a second encryption layer. A second layer of client-side encryption can be achieved through two different paths:
It is possible to offload client-side encryption to the gateway by parsing the
--encryption-key flag at startup with a custom encryption key. Please note that if you change the encryption key, you will have to remember which key you used with which file.
AWS offers the AWS Encryption-CLI that allows client-side encryption before it is offloaded to the S3. This does however mean that data has to be encrypted first and then sent to the gateway for upload.
On the application level it is possible to add client-side encryption through the AWS SDK client master keys.
We highly recommend doing client-side encryption with open source encryption packages of which their security and reliability can be verified and have been verified by the community. Doing your own encryption is always better than trusting a tool by someone else.