Encryption
Filebase encrypts every object at rest and in transit by default. There is no flag to turn encryption on or off — it's always on for every bucket and every object on every plan.
In transit
All requests to s3.filebase.io are served over TLS 1.2 or higher. HTTP requests are redirected to HTTPS. The S3 endpoint does not accept unencrypted traffic.
This applies uniformly to:
- API requests (signed S3 calls).
- Public bucket reads.
- Pre-signed URL downloads.
At rest
Every object is encrypted on disk before it's persisted to storage media. Encryption keys are managed by Filebase — there is no extra configuration on your side and no impact on read or write performance.
Server-side encryption headers
Filebase accepts the standard AWS S3 SSE headers for compatibility, even though encryption is always-on:
x-amz-server-side-encryption: AES256x-amz-server-side-encryption: aws:kms(treated as AES-256 — no separate KMS integration)
You can pass these headers from any S3 client without errors. They are accepted and reflected in HeadObject responses, which keeps tooling that asserts encryption is enabled (security scanners, compliance audits) happy.
Customer-provided keys (SSE-C)
SSE-C — where you supply the encryption key on every request — is not supported. If your compliance regime requires customer-managed keys, encrypt the object client-side before uploading it (using a library like age, libsodium, or the AWS Encryption SDK) and decrypt on read.
Compliance and certifications
For the latest list of compliance certifications and audit reports, see the Filebase security page on the marketing site or contact hello@filebase.com directly.