Server-side encryption
Encryption on Filebase is always on for every object on every plan. There is no flag to enable it; there is no flag to turn it off.
This page covers the API-surface details for compatibility with tools that explicitly request server-side encryption.
Headers Filebase accepts
Filebase accepts the standard AWS S3 server-side encryption headers on PUT operations for compatibility:
x-amz-server-side-encryption: AES256
x-amz-server-side-encryption: aws:kms
In both cases the object is encrypted with AES-256 — Filebase does not have a separate KMS integration. The header is reflected back on HeadObject and GetObject so security scanners and compliance tools that expect to verify encryption pass their checks.
What's not supported
- SSE-C (customer-provided encryption keys via
x-amz-server-side-encryption-customer-keyheaders) — not supported. Encrypt client-side if you need a key you control. - KMS-specific operations like
aws:kms:dsse(dual-layer SSE-KMS) — not supported. - Disabling encryption — not possible.
Bucket default encryption
GetBucketEncryption returns AES-256 as the default for every bucket:
aws --endpoint https://s3.filebase.io s3api get-bucket-encryption --bucket my-bucket
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
PutBucketEncryption is accepted for compatibility but has no effect — encryption is already on.
Client-side encryption
If you need encryption with a key you manage entirely (for compliance regimes that prohibit any provider key custody), encrypt client-side before uploading:
- age — modern, simple, designed for files
- libsodium — cross-language, audited primitives
- AWS Encryption SDK — drop-in if you're already using AWS KMS for key custody
The encrypted blob then uploads via standard PutObject. Decryption happens after GetObject returns the body.