# Amazon S3 client-side encryption with S3A
Starting with Amazon Elastic Map Reduce (EMR) release version 7.6.0, the S3A filesystem connector now supports Amazon S3 client-side encryption. This means that encryption and decryption of Amazon S3 data occurs directly within the S3A client on your computing cluster. When using this feature, files are automatically encrypted before being uploaded to Amazon S3 and decrypted upon download. For comprehensive details about the encryption methodology and its implementation, users can refer to [Protecting data using client-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html) in the *Amazon Simple Storage Service User Guide*.
When enabling Client-Side Encryption (CSE) with S3A in Amazon EMR, you have two key management system options:
+ **CSE-KMS** – This approach utilizes an AWS Key Management Service (KMS) key configured with policies specifically designed for Amazon EMR. For detailed information about key requirements, refer to the [Using AWS KMS keys for encryption](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-encryption-enable.html#emr-awskms-keys) documentation.
+ **CSE-CUSTOM** – This method allows you to integrate a custom Java class that provides the client-side root key responsible for encrypting and decrypting data.
**Note**
S3A Client-Side Encryption in EMR is inherently compatible with EMRFS Client-Side Encryption, meaning objects encrypted using EMRFS CSE can be read through S3A CSE.
**Topics**
+ [Setup CSE-KMS](emr-s3a-cse-kms.md)
+ [Setup CSE-CUSTOM](emr-s3a-cse-custom.md)
+ [Properties for Amazon S3 client-side encryption with S3A](emr-encryption-s3a-properties.md)
# Setup CSE-KMS
You can enable client-side encryption using AWS KMS (CSE-KMS) in two primary scopes:
+ The first is cluster-wide configuration:
```
[
{
"Classification":"core-site",
"Properties": {
"fs.s3a.encryption.algorithm": "CSE-KMS",
"fs.s3a.encryption.key":"${KMS_KEY_ID}",
}
}
]
```
**Note**
If the AWS KMS key region is different than the S3 bucket/EMR region, you must set the following additional configuration: `fs.s3a.encryption.cse.kms.region=${KMS_REGION}`.
+ The second is job or application-specific configuration. CSE-KMS can be setup for a specific Spark application as follows:
```
spark-submit --conf spark.hadoop.fs.s3a.encryption.algorithm=CSE-KMS --conf spark.hadoop.fs.s3a.encryption.key=${KMS_KEY_ID}
```
# Setup CSE-CUSTOM
To use CSE-CUSTOM, you must create a custom key provider by implementing the [Keyring](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html) interface. Here's a sample implementation:
```
public class CustomKeyring implements Keyring {
public CustomKeyring() {
// custom code
}
@Override
public EncryptionMaterials onEncrypt(EncryptionMaterials encryptionMaterials) {
// custom code
}
@Override
public DecryptionMaterials onDecrypt(DecryptionMaterials decryptionMaterials,
ListEncryptedDataKey list) {
// custom code
}
```
You can enable Client-Side Encryption Custom Keys (CSE-CUSTOM) in two primary scopes:
+ The first scope is cluster-wide configuration:
```
[
{
"Classification":"core-site",
"Properties": {
"fs.s3a.encryption.algorithm": "CSE-CUSTOM",
"fs.s3a.cse.customKeyringProvider.uri":"S3 path of custom jar",
"fs.s3a.encryption.cse.custom.keyring.class.name":"fully qualified class name"
}
}
]
```
+ The second is job or application-specific configuration. CSE-CUSTOM can be setup for a specific Spark application as follows:
```
spark-submit --conf spark.hadoop.fs.s3a.encryption.algorithm=CSE-CUSTOM --conf spark.hadoop.fs.s3a.encryption.cse.custom.keyring.class.name=fully qualified class name
```
**Note**
Ensure that the required custom jar for generating encryption/decryption keys is present in the class path.
# Properties for Amazon S3 client-side encryption with S3A
To configure client-side encryption with S3A, there are several configuration properties that must be set in your core-site.xml settings. For more information about custom configuration settings, see [Configure applications](emr-configure-apps.html).
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-encryption-s3a-properties.html)