KMS Support - Nuxeo with Amazon S3 Server Side Encryption

I'm trying to get Nuxeo to store its binaries in S3 with Server-Side encryption.

I can't use AES-256 encryption. AWS KMS encryption is required. Does Nuxeo provide support for using KMS keys? I'm not find any information about this at If anything, it sounds like Nuxeo only supports AES-256.

The bucket policy I have to accommodate is the following:

    "Version": "2012-10-17",
    "Id": "ServerSideEncryptionPolicy",
    "Statement": [
            "Sid": "DenyPutWithoutKmsKey",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            "Action": "s3:PutObject",
            "Resource": "<REMOVED>",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms",
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "<REMOVED>"
0 votes

1 answers



At the moment we only support AES-256 for server-side encryption (this is hardcoded in the code). I've created NXP-22949 to track this feature request. It's not currently been scheduled.

0 votes

We'd welcome a pull request on our code if you want to speed this up though.