Encryption on amazon s3

By default, objects uploaded to S3 do not get encrypted by Amazon servers before being stored on disk.

Server Side Encryption

Add the s3_server_side_encryption option to enable server side encryption by Amazon servers before your objects are committed to disk.

has_attached_file :file, s3_permissions: :private,
                         s3_server_side_encryption: :aes256

This adds the x-amz-server-side-encryption header upon upload by Paperclip, which triggers encryption by amazon.

Client Side Encryption

If you need client side encryption, from your server to S3, you will need to use an encryption pre-processor.

If you need client side encryption, from your client to your server, you will need to handle this outside of paperclip with a client-side encryption library.