diff --git a/src/applications/files/engine/PhabricatorS3FileStorageEngine.php b/src/applications/files/engine/PhabricatorS3FileStorageEngine.php
--- a/src/applications/files/engine/PhabricatorS3FileStorageEngine.php
+++ b/src/applications/files/engine/PhabricatorS3FileStorageEngine.php
@@ -44,7 +44,8 @@
       $data,
       $this->getBucketName(),
       $name,
-      $acl = 'private');
+      $acl = 'private',
+      $serverSideEncryption = $this->getServerSideEncryption());
 
     return $name;
   }
@@ -97,6 +98,16 @@
   }
 
   /**
+   * Retrieve the desired encryption method for objects stored on S3.
+   *
+   * @task internal
+   */
+  private function getServerSideEncryption() {
+    return PhabricatorEnv::getEnvConfigIfExists(
+      'storage.s3.serverSideEncryption', '');
+  }
+
+  /**
    * Create a new S3 API object.
    *
    * @task internal
diff --git a/src/docs/user/configuration/configuring_file_storage.diviner b/src/docs/user/configuration/configuring_file_storage.diviner
--- a/src/docs/user/configuration/configuring_file_storage.diviner
+++ b/src/docs/user/configuration/configuring_file_storage.diviner
@@ -70,6 +70,11 @@
   - ##amazon-s3.secret-key## Your AWS secret key.
   - ##storage.s3.bucket## S3 bucket name where files should be stored.
 
+To enable using S3's server side encryption, set the following key:
+
+  - ##storage.s3.serverSideEncryption## The value to send in the
+    x-amz-server-side-encryption header (e.g. AES256)
+
 == Custom Engine ==
 
 For details about writing a custom storage engine, see @{article:File Storage