Regarding the AWS S3 tool “sync” and a “customer-provided encryption key”, it says here,

–sse-c-key (string) The customer-provided encryption key to use to server-side encrypt the object in S3. If you provide this value,
–sse-c be specfied as well. The key provided should not be base64 encoded.

How does one supply a key on the command line that is not base64 encoded?

If the key is not base64 encoded, then surely some of the key’s bytes would not be expressible as characters?

At first glance, this seems like a HUGE oversight in the aws cli. However, buried deep in the CLI documentation is a blurb on how to provide binary data on the command line.

https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters-file.html
(updated link per @Chris’s comment)

This did in fact work for me…

aws s3 cp --sse-c AES256 --sse-c-key fileb://key.bin large_file s3://mybucket/

The fileb:// part is the answer