Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Loading encrypted data files from Amazon S3 - Amazon Redshift

Loading encrypted data files from Amazon S3

You can use the COPY command to load data files that were uploaded to Amazon S3 using server-side encryption, client-side encryption, or both.

The COPY command supports the following types of Amazon S3 encryption:

  • Server-side encryption with Amazon S3-managed keys (SSE-S3)

  • Server-side encryption with AWS KMS keys (SSE-KMS)

  • Client-side encryption using a client-side symmetric root key

The COPY command doesn't support the following types of Amazon S3 encryption:

  • Server-side encryption with customer-provided keys (SSE-C)

  • Client-side encryption using an AWS KMS key

  • Client-side encryption using a customer-provided asymmetric root key

For more information about Amazon S3 encryption, see Protecting Data Using Server-Side Encryption and Protecting Data Using Client-Side Encryption in the Amazon Simple Storage Service User Guide.

The UNLOAD command automatically encrypts files using SSE-S3. You can also unload using SSE-KMS or client-side encryption with a customer managed symmetric key. For more information, see Unloading encrypted data files

The COPY command automatically recognizes and loads files encrypted using SSE-S3 and SSE-KMS. You can load files encrypted using a client-side symmetric root key by specifying the ENCRYPTED option and providing the key value. For more information, see Uploading encrypted data to Amazon S3.

To load client-side encrypted data files, provide the root key value using the MASTER_SYMMETRIC_KEY parameter and include the ENCRYPTED option.

COPY customer FROM 's3://amzn-s3-demo-bucket/encrypted/customer' IAM_ROLE 'arn:aws:iam::0123456789012:role/MyRedshiftRole' MASTER_SYMMETRIC_KEY '<root_key>' ENCRYPTED DELIMITER '|';

To load encrypted data files that are gzip, lzop, or bzip2 compressed, include the GZIP, LZOP, or BZIP2 option along with the root key value and the ENCRYPTED option.

COPY customer FROM 's3://amzn-s3-demo-bucket/encrypted/customer' IAM_ROLE 'arn:aws:iam::0123456789012:role/MyRedshiftRole' MASTER_SYMMETRIC_KEY '<root_key>' ENCRYPTED DELIMITER '|' GZIP;
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.