Home > Storage > ObjectScale and ECS > Product Documentation > Dell ECS: Data at Rest Encryption > User-supplied keys with the S3 API headers
With the S3 API, encryption keys can be specified in the header to encrypt objects. When an object is encrypted using user-supplied key, the key is never stored, only the hash of the key is stored in the object table. The user must supply the encryption key every time an operation is performed on that object. ECS validates that the key provided for update, appends and reads it as the same used during object creation.
The following is an example with user-supplied key:
> PUT /foobucket/fooobject HTTP/1.1
> User-Agent: curl/7.28.1
>Host: somehost.emc.com:9021
> Authorization: AWS user1:rYXxrNSrIW2d+apG3MjU4sAAzVs
> x-amz-server-side-encryption:AES256
>Content-Length: 15536
> PUT /foobucket/fooobject HTTP/1.1
> User-Agent: curl/7.28.1
>Host: somehost.emc.com:9021
>x-amz-server-side-encryption-customer-algorithm:AES256
> x-amz-server-side-encryption-customer-key-MD5:w79dwNhAgGtXei9fHOb+Gw==
> Content-Length: 15536
> Expect: 100-continue