Data can be encrypted at rest on the S3 server based on a number of factors. Data can be unencrypted which can improve performance, especially for third-party S3 storage systems. It is possible to set a “bucket policy” which will cause the data be encrypted by default. When writing, the S3 system can also be told via the Teradata Access Module for S3 that the user requires encryption. You can request that the default S3-managed key is used by specifying “S3Sse=S3” (or S3Sse=True).