more

Amazon-S3-API.md

@@ -141,11 +141,11 @@ To be consistent with AWS S3, SeaweedFS tries to check whether the folder is emp
 
 # Server-Side Encryption
 
-SeaweedFS supports AWS S3-compatible server-side encryption to protect your data at rest. Three encryption methods are available:
+Need encryption at rest? SeaweedFS speaks the same SSE dialects as Amazon S3, so your existing tools and SDKs just work. You can choose from three options:
 
-- **[SSE-KMS](Server-Side-Encryption-SSE-KMS)**: External Key Management Service providers (AWS KMS, Google Cloud KMS, OpenBao/Vault)
-- **[SSE-C](Server-Side-Encryption-SSE-C)**: Customer-provided encryption keys (maximum customer control)
-- **SSE-S3**: SeaweedFS-managed server-side encryption (explicit `AES256` header or bucket default encryption)
+- **[SSE-KMS](Server-Side-Encryption-SSE-KMS)**: Use an external KMS (AWS KMS, Google Cloud KMS, OpenBao/Vault)
+- **[SSE-C](Server-Side-Encryption-SSE-C)**: Bring your own keys for maximum control
+- **SSE-S3**: Let SeaweedFS manage keys (explicit `AES256` header or bucket default encryption)
 
 All encryption types support:
 - Automatic encryption/decryption

S3-API-FAQ.md

@@ -113,14 +113,14 @@ To manage storage growth, you should:
 
 ## Does SeaweedFS support encrypted range requests?
 
-Yes. Range requests are supported for encrypted objects across all SSE modes:
+Yes. Range requests work just fine with encrypted objects across all SSE modes:
 - **SSE-KMS**: Supported
 - **SSE-C**: Supported
 - **SSE-S3**: Supported
 
 ## Does SeaweedFS support bucket default encryption?
 
-Yes. Bucket default encryption is supported. You can configure bucket-level default encryption using the standard S3 bucket encryption API, and uploads without explicit encryption headers will be encrypted according to the bucket policy. Applies to SSE-KMS and SSE-S3.
+Yes. You can set a bucket-level default encryption policy using the standard S3 bucket encryption API. Uploads without explicit encryption headers will follow the bucket policy. This applies to SSE-KMS and SSE-S3.
 
 For setup guides, see [[Server-Side-Encryption]].
 

Server-Side-Encryption-SSE-C.md

@@ -1,10 +1,10 @@
 # Server-Side Encryption with Customer-provided Keys (SSE-C)
 
-SeaweedFS supports AWS S3-compatible Server-Side Encryption with Customer-provided Keys (SSE-C), allowing clients to encrypt objects using their own encryption keys.
+With SSE-C, you bring your own keys and SeaweedFS does the heavy lifting. Your app sends the key with each request, and we encrypt/decrypt on the server side—without ever storing your key.
 
 ## Overview
 
-SSE-C enables client-side key management with server-side encryption:
+SSE-C gives you client-side key management with server-side encryption:
 
 - **Client provides**: AES-256 encryption key and MD5 hash
 - **SeaweedFS handles**: Encryption/decryption operations transparently  
@@ -12,7 +12,7 @@ SSE-C enables client-side key management with server-side encryption:
 
 ## Required Headers
 
-For all SSE-C operations, provide these headers:
+For all SSE-C operations, include these headers:
 
 ```http
 X-Amz-Server-Side-Encryption-Customer-Algorithm: AES256

Server-Side-Encryption-SSE-KMS.md

@@ -1,7 +1,6 @@
 # SSE-KMS: Server-Side Encryption with Key Management Service
 
-SeaweedFS SSE-KMS supports multiple external Key Management Service providers for enterprise-grade encryption key management. This guide covers setup and configuration for AWS KMS, Google Cloud KMS, OpenBao/Vault.
-and Azure Key Vault (experimental, build tag `azurekms`).
+SeaweedFS works with your existing Key Management Service (KMS) so you can keep keys where they belong. This guide walks you through AWS KMS, Google Cloud KMS, and OpenBao/Vault. Azure Key Vault is also available as experimental (build tag `azurekms`).
 
 ## Supported KMS Providers
 
@@ -16,7 +15,7 @@ and Azure Key Vault (experimental, build tag `azurekms`).
 
 ### 1. Configure SeaweedFS
 
-KMS providers are configured in the S3 config JSON file:
+Tell SeaweedFS about your KMS in the S3 config JSON file:
 
 ```json
 {

Server-Side-Encryption.md

@@ -1,9 +1,11 @@
 # Server-Side Encryption (SSE)
 
-SeaweedFS supports AWS S3-compatible server-side encryption to protect data at rest. Three encryption methods are available, each offering different levels of control over encryption keys and management.
+If you're using SeaweedFS with the S3 API, you can encrypt objects at rest without changing your apps. We support the same server-side encryption (SSE) options as Amazon S3, so you can pick the one that fits how you already manage keys.
 
 ## Overview
 
+Use this quick guide to choose the right option:
+
 | Encryption Type | Key Management | Use Case |
 |------------------|----------------|----------|
 | **SSE-KMS** | External KMS providers | Enterprise key management, audit trails |
@@ -13,24 +15,24 @@ SeaweedFS supports AWS S3-compatible server-side encryption to protect data at r
 ## Encryption Types
 
 ### SSE-KMS (Server-Side Encryption with Key Management Service)
-- **Best for**: Enterprise environments with external KMS infrastructure
-- **Key management**: External providers (AWS KMS, Google Cloud KMS, OpenBao/Vault, Azure Key Vault [experimental])
-- **Features**: Centralized key management, detailed audit logs, per-bucket key assignment, optional Bucket Key optimization
-- **Configuration**: Requires KMS provider setup in S3 config
+- **Pick this if**: You already use a KMS and want strong audit trails
+- **Keys live in**: External providers (AWS KMS, Google Cloud KMS, OpenBao/Vault, Azure Key Vault [experimental])
+- **Why teams like it**: Centralized key management, detailed audit logs, per-bucket key assignment, optional Bucket Key optimization
+- **Configuration**: Requires KMS provider setup in the S3 config
 - **Documentation**: [SSE-KMS Guide](Server-Side-Encryption-SSE-KMS.md)
 
 ### SSE-C (Server-Side Encryption with Customer-Provided Keys)
-- **Best for**: Maximum control over encryption keys, regulatory compliance
-- **Key management**: Customer provides encryption keys with each request
-- **Features**: No key storage on server, customer has full control
+- **Pick this if**: You want to bring your own keys and keep full control
+- **Keys live in**: Your application (sent per request)
+- **Why teams like it**: No key storage on the server; maximum control for compliance-heavy environments
 - **Configuration**: Keys provided via HTTP headers
 - **Documentation**: [SSE-C Guide](Server-Side-Encryption-SSE-C.md)
 
 ### SSE-S3 (Server-Managed Keys)
-- **Best for**: Simple, fully managed encryption with minimal configuration
-- **Key management**: SeaweedFS-managed keys with automatic key handling
-- **Features**: Works with explicit `x-amz-server-side-encryption: AES256` and bucket default encryption; supports multipart uploads and range requests
-- **Configuration**: Optional bucket-level default encryption via standard S3 bucket encryption API
+- **Pick this if**: You want simple, fully managed encryption with minimal setup
+- **Keys live in**: SeaweedFS (we handle the key management for you)
+- **Why teams like it**: Works with explicit `x-amz-server-side-encryption: AES256` and bucket default encryption; supports multipart uploads and range requests
+- **Configuration**: Optional bucket-level default encryption via the standard S3 bucket encryption API
 
 ## Quick Start
 
@@ -64,7 +66,7 @@ aws s3 cp file.txt s3://mybucket/file.txt \
 ## Configuration
 
 ### Basic Setup
-Configure KMS providers and IAM settings in the S3 config file:
+Configure KMS providers and IAM settings in your S3 config file:
 
 ```json
 {
@@ -117,4 +119,4 @@ weed s3 -config=s3_kms_config.json
 - **SSE-C**: Full support with security best practices
 - **SSE-S3**: Supported with SeaweedFS-managed keys and bucket default encryption
 
-For detailed setup guides, examples, and configuration options, see the individual encryption method documentation linked above.
+For hands-on setup guides and examples, see the individual encryption method docs linked above.