diff --git a/tmail-backend/blob/secondary-blob-store/src/test/java/com/linagora/tmail/blob/secondaryblobstore/SecondaryBlobStoreDAOTest.java b/tmail-backend/blob/secondary-blob-store/src/test/java/com/linagora/tmail/blob/secondaryblobstore/SecondaryBlobStoreDAOTest.java
index aaf27108db..154c9b7cd1 100644
--- a/tmail-backend/blob/secondary-blob-store/src/test/java/com/linagora/tmail/blob/secondaryblobstore/SecondaryBlobStoreDAOTest.java
+++ b/tmail-backend/blob/secondary-blob-store/src/test/java/com/linagora/tmail/blob/secondaryblobstore/SecondaryBlobStoreDAOTest.java
@@ -23,6 +23,7 @@
 import org.apache.james.blob.objectstorage.aws.S3BlobStoreConfiguration;
 import org.apache.james.blob.objectstorage.aws.S3BlobStoreDAO;
 import org.apache.james.blob.objectstorage.aws.S3ClientFactory;
+import org.apache.james.blob.objectstorage.aws.S3RequestOption;
 import org.apache.james.events.EventBus;
 import org.apache.james.events.InVMEventBus;
 import org.apache.james.events.MemoryEventDeadLetters;
@@ -82,7 +83,8 @@ private static S3BlobStoreDAO createS3BlobStoreDAO(DockerAwsS3Container s3Contai
             .readTimeout(Optional.of(Duration.ofMillis(500)))
             .build();
 
-        return new S3BlobStoreDAO(new S3ClientFactory(s3Configuration, new RecordingMetricFactory(), new NoopGaugeRegistry()), s3Configuration, new TestBlobId.Factory());
+        return new S3BlobStoreDAO(new S3ClientFactory(s3Configuration, new RecordingMetricFactory(), new NoopGaugeRegistry()),
+            s3Configuration, new TestBlobId.Factory(), S3RequestOption.DEFAULT);
     }
 
     @AfterEach
diff --git a/tmail-backend/blob/secondary-blob-store/src/test/java/com/linagora/tmail/blob/secondaryblobstore/SecondaryBlobStoreDAOWithEmptySuffixTest.java b/tmail-backend/blob/secondary-blob-store/src/test/java/com/linagora/tmail/blob/secondaryblobstore/SecondaryBlobStoreDAOWithEmptySuffixTest.java
index fc82006bc4..0e8fceb3cf 100644
--- a/tmail-backend/blob/secondary-blob-store/src/test/java/com/linagora/tmail/blob/secondaryblobstore/SecondaryBlobStoreDAOWithEmptySuffixTest.java
+++ b/tmail-backend/blob/secondary-blob-store/src/test/java/com/linagora/tmail/blob/secondaryblobstore/SecondaryBlobStoreDAOWithEmptySuffixTest.java
@@ -23,6 +23,7 @@
 import org.apache.james.blob.objectstorage.aws.S3BlobStoreConfiguration;
 import org.apache.james.blob.objectstorage.aws.S3BlobStoreDAO;
 import org.apache.james.blob.objectstorage.aws.S3ClientFactory;
+import org.apache.james.blob.objectstorage.aws.S3RequestOption;
 import org.apache.james.events.EventBus;
 import org.apache.james.events.InVMEventBus;
 import org.apache.james.events.MemoryEventDeadLetters;
@@ -82,7 +83,8 @@ private static S3BlobStoreDAO createS3BlobStoreDAO(DockerAwsS3Container s3Contai
             .readTimeout(Optional.of(Duration.ofMillis(500)))
             .build();
 
-        return new S3BlobStoreDAO(new S3ClientFactory(s3Configuration, new RecordingMetricFactory(), new NoopGaugeRegistry()), s3Configuration, new TestBlobId.Factory());
+        return new S3BlobStoreDAO(new S3ClientFactory(s3Configuration, new RecordingMetricFactory(), new NoopGaugeRegistry()),
+            s3Configuration, new TestBlobId.Factory(), S3RequestOption.DEFAULT);
     }
 
     @AfterEach
diff --git a/tmail-backend/guice/blob-guice/src/main/java/com/linagora/tmail/blob/guice/BlobStoreModulesChooser.java b/tmail-backend/guice/blob-guice/src/main/java/com/linagora/tmail/blob/guice/BlobStoreModulesChooser.java
index df41c2443f..501d0d2094 100644
--- a/tmail-backend/guice/blob-guice/src/main/java/com/linagora/tmail/blob/guice/BlobStoreModulesChooser.java
+++ b/tmail-backend/guice/blob-guice/src/main/java/com/linagora/tmail/blob/guice/BlobStoreModulesChooser.java
@@ -1,5 +1,7 @@
 package com.linagora.tmail.blob.guice;
 
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
 import java.util.List;
 import java.util.Optional;
 
@@ -12,8 +14,12 @@
 import org.apache.james.blob.cassandra.cache.CachedBlobStore;
 import org.apache.james.blob.file.FileBlobStoreDAO;
 import org.apache.james.blob.objectstorage.aws.JamesS3MetricPublisher;
+import org.apache.james.blob.objectstorage.aws.S3BlobStoreConfiguration;
 import org.apache.james.blob.objectstorage.aws.S3BlobStoreDAO;
 import org.apache.james.blob.objectstorage.aws.S3ClientFactory;
+import org.apache.james.blob.objectstorage.aws.S3RequestOption;
+import org.apache.james.blob.objectstorage.aws.sse.S3SSECConfiguration;
+import org.apache.james.blob.objectstorage.aws.sse.S3SSECustomerKeyFactory;
 import org.apache.james.events.EventBus;
 import org.apache.james.eventsourcing.Event;
 import org.apache.james.eventsourcing.eventstore.dto.EventDTO;
@@ -31,6 +37,7 @@
 import org.apache.james.server.blob.deduplication.DeDuplicationBlobStore;
 import org.apache.james.server.blob.deduplication.PassThroughBlobStore;
 import org.apache.james.server.blob.deduplication.StorageStrategy;
+import org.apache.james.server.core.MissingArgumentException;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableList;
@@ -70,6 +77,19 @@ protected void configure() {
                 .to(S3BlobStoreDAO.class)
                 .in(Scopes.SINGLETON);
         }
+
+        @Provides
+        @Singleton
+        S3RequestOption provideS3RequestOption(S3BlobStoreConfiguration configuration) throws InvalidKeySpecException, NoSuchAlgorithmException {
+            if (!configuration.ssecEnabled()) {
+                return S3RequestOption.DEFAULT;
+            }
+            S3SSECConfiguration ssecConfiguration = configuration.getSSECConfiguration()
+                .orElseThrow(() -> new MissingArgumentException("SSEC is enabled but no configuration is provided"));
+
+            S3SSECustomerKeyFactory sseCustomerKeyFactory = new S3SSECustomerKeyFactory.SingleCustomerKeyFactory((S3SSECConfiguration.Basic) ssecConfiguration);
+            return new S3RequestOption(new S3RequestOption.SSEC(true, Optional.of(sseCustomerKeyFactory)));
+        }
     }
 
     static class FileBlobStoreDAODeclarationModule extends AbstractModule {
@@ -115,10 +135,11 @@ public SecondaryObjectStorageModule(SecondaryS3BlobStoreConfiguration secondaryS
         @Named(SECOND_BLOB_STORE_DAO)
         BlobStoreDAO getSecondaryS3BlobStoreDAO(BlobId.Factory blobIdFactory,
                                                 MetricFactory metricFactory,
-                                                GaugeRegistry gaugeRegistry) {
+                                                GaugeRegistry gaugeRegistry,
+                                                S3RequestOption s3RequestOption) {
             S3ClientFactory s3SecondaryClientFactory = new S3ClientFactory(secondaryS3BlobStoreConfiguration.s3BlobStoreConfiguration(),
                 () -> new JamesS3MetricPublisher(metricFactory, gaugeRegistry, "secondary_s3"));
-            return new S3BlobStoreDAO(s3SecondaryClientFactory, secondaryS3BlobStoreConfiguration.s3BlobStoreConfiguration(), blobIdFactory);
+            return new S3BlobStoreDAO(s3SecondaryClientFactory, secondaryS3BlobStoreConfiguration.s3BlobStoreConfiguration(), blobIdFactory, s3RequestOption);
         }
 
         @ProvidesIntoSet