undefined / empty → no encryption setting passed (B2 still applies any
bucket-default SSE-B2; we just don't override it).
"B2" (case-insensitive) → SSE-B2 with the B2-managed key (no cost).
"C:<base64-32-byte-key>" → SSE-C with a customer-provided key. We
compute the required base64 MD5 internally so the workflow author
doesn't have to.
The action runs in Node only, so we use node:crypto.createHash('md5')
directly rather than the SDK's isomorphic key wrapper. We deliberately do
NOT log the key bytes; the only place they ever go is into the
customerKey field of the SDK setting which the SDK marks as a secret in
any error / debug output.
Parse the
sseinput into an SDK EncryptionSetting.Accepted forms:
undefined/ empty → no encryption setting passed (B2 still applies any bucket-default SSE-B2; we just don't override it)."B2"(case-insensitive) → SSE-B2 with the B2-managed key (no cost)."C:<base64-32-byte-key>"→ SSE-C with a customer-provided key. We compute the required base64 MD5 internally so the workflow author doesn't have to.The action runs in Node only, so we use
node:crypto.createHash('md5')directly rather than the SDK's isomorphic key wrapper. We deliberately do NOT log the key bytes; the only place they ever go is into thecustomerKeyfield of the SDK setting which the SDK marks as a secret in any error / debug output.