Package s3crypto provides encryption to S3 using KMS and AES GCM.
Keyproviders are interfaces that handle masterkeys. Masterkeys are used to encrypt and decrypt the randomly generated cipher keys. The SDK currently uses KMS to do this. A user does not need to provide a master key since all that information is hidden in KMS.
Modes are interfaces that handle content encryption and decryption. It is an abstraction layer that instantiates the ciphers. If content is being encrypted we generate the key and iv of the cipher. For decryption, we use the metadata stored either on the object or an instruction file object to decrypt the contents.
Ciphers are interfaces that handle encryption and decryption of data. This may be key wrap ciphers or content ciphers.
Creating an S3 cryptography client
cmkID := "<some key ID>"
sess := session.Must(session.NewSession())
kmsClient := kms.New(sess)
// Create the KeyProvider
var matdesc s3crypto.MaterialDescription
handler := s3crypto.NewKMSContextKeyGenerator(kmsClient, cmkID, matdesc)
// Create an encryption and decryption client
// We need to pass the session here so S3 can use it. In addition, any decryption that
// occurs will use the KMS client.
svc, err := s3crypto.NewEncryptionClientV2(sess, s3crypto.AESGCMContentCipherBuilderV2(handler))
if err != nil {
panic(err) // handle error
}
// Create a CryptoRegistry and register the algorithms you wish to use for decryption
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterAESGCMContentCipher(cr); err != nil {
panic(err) // handle error
}
if err := s3crypto.RegisterKMSContextWrapWithAnyCMK(cr, kmsClient); err != nil {
panic(err) // handle error
}
// Create a decryption client to decrypt artifacts
svc, err := s3crypto.NewDecryptionClientV2(sess, cr)
if err != nil {
panic(err) // handle error
}
Configuration of the S3 cryptography client
sess := session.Must(session.NewSession())
handler := s3crypto.NewKMSContextKeyGenerator(kms.New(sess), cmkID, s3crypto.MaterialDescription{})
svc, err := s3crypto.NewEncryptionClientV2(sess, s3crypto.AESGCMContentCipherBuilderV2(handler), func (o *s3crypto.EncryptionClientOptions) {
// Save instruction files to separate objects
o.SaveStrategy = NewS3SaveStrategy(sess, "")
// Change instruction file suffix to .example
o.InstructionFileSuffix = ".example"
// Set temp folder path
o.TempFolderPath = "/path/to/tmp/folder/"
// Any content less than the minimum file size will use memory
// instead of writing the contents to a temp file.
o.MinFileSize = int64(1024 * 1024 * 1024)
})
if err != nil {
panic(err) // handle error
}
Object Metadata SaveStrategy
The default SaveStrategy is to save metadata to an object's headers. An alternative SaveStrategy can be provided to the EncryptionClientV2. For example, the S3SaveStrategy can be used to save the encryption metadata to a instruction file that is stored in S3 using the objects KeyName+InstructionFileSuffix. The InstructionFileSuffix defaults to .instruction. If using this strategy you will need to configure the DecryptionClientV2 to use the matching S3LoadStrategy LoadStrategy in order to decrypt object using this save strategy.
Custom Key Wrappers and Custom Content Encryption AlgorithmsRegistration of custom key wrapping or content encryption algorithms not provided by AWS is allowed by the SDK, but security and compatibility with custom types can not be guaranteed. For example if you want to support `CustomWrap` key wrapping algorithm and `CustomCEK` content encryption algorithm. You can use the CryptoRegistry to register these types.
cr := s3crypto.NewCryptoRegistry()
// Register a custom key wrap algorithm to the CryptoRegistry
if err := cr.AddWrap("CustomWrap", NewCustomWrapEntry); err != nil {
panic(err) // handle error
}
// Register a custom content encryption algorithm to the CryptoRegistry
if err := cr.AddCEK("CustomCEK", NewCustomCEKEntry); err != nil {
panic(err) // handle error
}
svc, err := s3crypto.NewDecryptionClientV2(sess, cr)
if err != nil {
panic(err) // handle error
}
We have now registered these new algorithms to the decryption client. When the client calls `GetObject` and sees the wrap as `CustomWrap` then it'll use that wrap algorithm. This is also true for `CustomCEK`.
For encryption adding a custom content cipher builder and key handler will allow for encryption of custom defined ciphers.
// Our wrap algorithm, CustomWrap handler := NewCustomWrap(key, iv) // Our content cipher builder, NewCustomCEKContentBuilder svc := s3crypto.NewEncryptionClientV2(sess, NewCustomCEKContentBuilder(handler))Maintenance Mode Notification for V1 Clients
The EncryptionClient and DecryptionClient are in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information. Users of these clients should migrate to EncryptionClientV2 and DecryptionClientV2.
EncryptionClientV2 removes encryption support of the following features
Attempting to construct an EncryptionClientV2 with deprecated features will result in an error returned back to the calling application during construction of the client.
Users of `AES/CBC` will need to migrate usage to `AES/GCM`. Users of `kms` key provider will need to migrate `kms+context`.
DecryptionClientV2 client adds support for the `kms+context` key provider and maintains backwards comparability with objects encrypted with the V1 EncryptionClient.
Migrating from V1 to V2 ClientsExamples of how to migrate usage of the V1 clients to the V2 equivalents have been documented as usage examples of the NewEncryptionClientV2 and NewDecryptionClientV2 functions.
Please see the AWS SDK for Go Developer Guide for additional migration steps https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/s3-encryption-migration.html
Deprecated: aws-sdk-go is deprecated. Use aws-sdk-go-v2. See https://aws.amazon.com/blogs/developer/announcing-end-of-support-for-aws-sdk-for-go-v1-on-july-31-2025/.
Index â¹ Index â¾aes_cbc.go aes_cbc_content_cipher.go aes_cbc_padder.go aes_gcm.go aes_gcm_content_cipher.go cipher.go cipher_builder.go cipher_util.go crypto_registry.go decryption_client.go decryption_client_v2.go doc.go encryption_client.go encryption_client_v2.go envelope.go errors.go fixture.go hash_io.go helper.go key_handler.go kms_context_key_handler.go kms_key_handler.go mat_desc.go padder.go pkcs7_padder.go shared_client.go strategy.go
Internal call graph â¹ Internal call graph â¾In the call graph viewer below, each node is a function belonging to this package and its children are the functions it calls—perhaps dynamically.
The root nodes are the entry points of the package: functions that may be called from outside the package. There may be non-exported or anonymous functions among them if they are called dynamically from another package.
Click a node to visit that function's source code. From there you can visit its callers by clicking its declaring func token.
Functions may be omitted if they were determined to be unreachable in the particular programs or tests that were analyzed.
const AESCBC = "AES/CBC"
AESCBC is the string constant that signifies the AES CBC algorithm cipher.
const AESGCMNoPadding = "AES/GCM/NoPadding"
AESGCMNoPadding is the constant value that is used to specify the cek algorithm consiting of AES GCM with no padding.
const DefaultInstructionKeySuffix = ".instruction"
DefaultInstructionKeySuffix is appended to the end of the instruction file key when grabbing or saving to S3
const DefaultMinFileSize = 1024 * 512 * 5
DefaultMinFileSize is used to check whether we want to write to a temp file or store the data in memory.
const (
KMSContextWrap = "kms+context"
)
const (
KMSWrap = "kms"
)Variables ¶
var AESCBCPadder = Padder(aescbcPadding)
AESCBCPadder is used to pad AES encrypted and decrypted data. Although it uses the pkcs5Padder, it isn't following the RFC for PKCS5. The only reason why it is called pkcs5Padder is due to the Name returning PKCS5Padding.
var NoPadder = Padder(noPadder{})
NoPadder does not pad anything
func RegisterAESCBCContentCipher ¶func RegisterAESCBCContentCipher(registry *CryptoRegistry, padder Padder) error
RegisterAESCBCContentCipher registers the AES/CBC cipher and padder with the provided CryptoRegistry.
Example:
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterAESCBCContentCipher(cr, s3crypto.AESCBCPadder); err != nil {
panic(err) // handle error
}
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func RegisterAESGCMContentCipher ¶func RegisterAESGCMContentCipher(registry *CryptoRegistry) error
RegisterAESGCMContentCipher registers the AES/GCM content cipher algorithm with the provided CryptoRegistry.
Example:
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterAESGCMContentCipher(cr); err != nil {
panic(err) // handle error
}
func RegisterKMSContextWrapWithAnyCMK ¶
func RegisterKMSContextWrapWithAnyCMK(registry *CryptoRegistry, client kmsiface.KMSAPI) error
RegisterKMSContextWrapWithAnyCMK registers the kms+context wrapping algorithm to the given WrapRegistry. The wrapper will be configured to call KMS decrypt without providing a CMK.
Example:
sess := session.Must(session.NewSession())
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterKMSContextWrapWithAnyCMK(cr, kms.New(sess)); err != nil {
panic(err) // handle error
}
func RegisterKMSContextWrapWithCMK ¶
func RegisterKMSContextWrapWithCMK(registry *CryptoRegistry, client kmsiface.KMSAPI, cmkID string) error
RegisterKMSContextWrapWithCMK registers the kms+context wrapping algorithm to the given WrapRegistry. The wrapper will be configured to only call KMS Decrypt using the provided CMK.
Example:
cr := s3crypto.NewCryptoRegistry()
if err := RegisterKMSContextWrapWithCMK(); err != nil {
panic(err) // handle error
}
func RegisterKMSWrapWithAnyCMK ¶
func RegisterKMSWrapWithAnyCMK(registry *CryptoRegistry, client kmsiface.KMSAPI) error
RegisterKMSWrapWithAnyCMK registers the `kms` wrapping algorithm to the given WrapRegistry. The wrapper will be configured to call KMS Decrypt without providing a CMK.
Example:
sess := session.Must(session.NewSession())
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterKMSWrapWithAnyCMK(cr, kms.New(sess)); err != nil {
panic(err) // handle error
}
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func RegisterKMSWrapWithCMK ¶func RegisterKMSWrapWithCMK(registry *CryptoRegistry, client kmsiface.KMSAPI, cmkID string) error
RegisterKMSWrapWithCMK registers the `kms` wrapping algorithm to the given WrapRegistry. The wrapper will be configured to call KMS Decrypt with the provided CMK.
Example:
sess := session.Must(session.NewSession())
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterKMSWrapWithCMK(cr, kms.New(sess), "cmkId"); err != nil {
panic(err) // handle error
}
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
type CEKEntry ¶type CEKEntry func(CipherData) (ContentCipher, error)
CEKEntry is a builder that returns a proper content decrypter and error
type Cipher ¶type Cipher interface {
Encrypter
Decrypter
}
Cipher interface allows for either encryption and decryption of an object
type CipherData ¶type CipherData struct {
Key []byte
IV []byte
WrapAlgorithm string
CEKAlgorithm string
TagLength string
MaterialDescription MaterialDescription
EncryptedKey []byte
Padder Padder
}
CipherData is used for content encryption. It is used for storing the metadata of the encrypted content.
func (CipherData) Clone ¶func (cd CipherData) Clone() (v CipherData)
Clone returns a new copy of CipherData
type CipherDataDecrypter ¶type CipherDataDecrypter interface {
DecryptKey([]byte) ([]byte, error)
}
CipherDataDecrypter is a handler to decrypt keys from the envelope.
type CipherDataDecrypterWithContext ¶type CipherDataDecrypterWithContext interface {
DecryptKeyWithContext(aws.Context, []byte) ([]byte, error)
}
CipherDataDecrypterWithContext is a handler to decrypt keys from the envelope with request context.
type CipherDataGenerator ¶type CipherDataGenerator interface {
GenerateCipherData(int, int) (CipherData, error)
}
CipherDataGenerator handles generating proper key and IVs of proper size for the content cipher. CipherDataGenerator will also encrypt the key and store it in the CipherData.
func NewKMSKeyGenerator ¶func NewKMSKeyGenerator(kmsClient kmsiface.KMSAPI, cmkID string) CipherDataGenerator
NewKMSKeyGenerator builds a new KMS key provider using the customer key ID and material description.
Example:
sess := session.Must(session.NewSession())
cmkID := "arn to key"
matdesc := s3crypto.MaterialDescription{}
handler := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkID)
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func NewKMSKeyGeneratorWithMatDesc ¶func NewKMSKeyGeneratorWithMatDesc(kmsClient kmsiface.KMSAPI, cmkID string, matdesc MaterialDescription) CipherDataGenerator
NewKMSKeyGeneratorWithMatDesc builds a new KMS key provider using the customer key ID and material description.
Example:
sess := session.Must(session.NewSession())
cmkID := "arn to key"
matdesc := s3crypto.MaterialDescription{}
handler := s3crypto.NewKMSKeyGeneratorWithMatDesc(kms.New(sess), cmkID, matdesc)
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
type CipherDataGeneratorWithCEKAlg ¶type CipherDataGeneratorWithCEKAlg interface {
GenerateCipherDataWithCEKAlg(ctx aws.Context, keySize, ivSize int, cekAlgorithm string) (CipherData, error)
}
CipherDataGeneratorWithCEKAlg handles generating proper key and IVs of proper size for the content cipher. CipherDataGenerator will also encrypt the key and store it in the CipherData.
func NewKMSContextKeyGenerator ¶func NewKMSContextKeyGenerator(client kmsiface.KMSAPI, cmkID string, matdesc MaterialDescription) CipherDataGeneratorWithCEKAlg
NewKMSContextKeyGenerator builds a new kms+context key provider using the customer key ID and material description.
Example:
sess := session.Must(session.NewSession()) cmkID := "KMS Key ARN" var matdesc s3crypto.MaterialDescription handler := s3crypto.NewKMSContextKeyGenerator(kms.New(sess), cmkID, matdesc)type CipherDataGeneratorWithContext ¶
type CipherDataGeneratorWithContext interface {
GenerateCipherDataWithContext(aws.Context, int, int) (CipherData, error)
}
CipherDataGeneratorWithContext handles generating proper key and IVs of proper size for the content cipher. CipherDataGenerator will also encrypt the key and store it in the CipherData.
type ContentCipher ¶type ContentCipher interface {
EncryptContents(io.Reader) (io.Reader, error)
DecryptContents(io.ReadCloser) (io.ReadCloser, error)
GetCipherData() CipherData
}
ContentCipher deals with encrypting and decrypting content
type ContentCipherBuilder ¶type ContentCipherBuilder interface {
ContentCipher() (ContentCipher, error)
}
ContentCipherBuilder is a builder interface that builds ciphers for each request.
func AESCBCContentCipherBuilder ¶func AESCBCContentCipherBuilder(generator CipherDataGenerator, padder Padder) ContentCipherBuilder
AESCBCContentCipherBuilder returns a new encryption only AES/CBC mode structure using the provided padder. The provided cipher data generator will be used to provide keys for content encryption.
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func AESGCMContentCipherBuilder ¶func AESGCMContentCipherBuilder(generator CipherDataGenerator) ContentCipherBuilder
AESGCMContentCipherBuilder returns a new encryption only AES/GCM mode structure with a specific cipher data generator that will provide keys to be used for content encryption.
Note: This uses the Go stdlib AEAD implementation for AES/GCM. Due to this objects to be encrypted or decrypted will be fully loaded into memory before encryption or decryption can occur. Caution must be taken to avoid memory allocation failures.
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func AESGCMContentCipherBuilderV2 ¶func AESGCMContentCipherBuilderV2(generator CipherDataGeneratorWithCEKAlg) ContentCipherBuilder
AESGCMContentCipherBuilderV2 returns a new encryption only AES/GCM mode structure with a specific cipher data generator that will provide keys to be used for content encryption. This type is compatible with the V2 encryption client.
Note: This uses the Go stdlib AEAD implementation for AES/GCM. Due to this objects to be encrypted or decrypted will be fully loaded into memory before encryption or decryption can occur. Caution must be taken to avoid memory allocation failures.
type ContentCipherBuilderWithContext ¶type ContentCipherBuilderWithContext interface {
ContentCipherWithContext(aws.Context) (ContentCipher, error)
}
ContentCipherBuilderWithContext is a builder interface that builds ciphers for each request.
type CryptoReadCloser ¶type CryptoReadCloser struct {
Body io.ReadCloser
Decrypter io.Reader
}
CryptoReadCloser handles closing of the body and allowing reads from the decrypted content.
func (*CryptoReadCloser) Close ¶func (rc *CryptoReadCloser) Close() error
Close lets the CryptoReadCloser satisfy io.ReadCloser interface
func (*CryptoReadCloser) Read ¶func (rc *CryptoReadCloser) Read(b []byte) (int, error)
Read lets the CryptoReadCloser satisfy io.ReadCloser interface
type CryptoRegistry ¶type CryptoRegistry struct {
}
CryptoRegistry is a collection of registries for configuring a decryption client with different key wrapping algorithms, content encryption algorithms, and padders.
func NewCryptoRegistry ¶func NewCryptoRegistry() *CryptoRegistry
NewCryptoRegistry creates a new CryptoRegistry to which wrapping algorithms, content encryption ciphers, and padders can be registered for use with the DecryptionClientV2.
func (*CryptoRegistry) AddCEK ¶func (c *CryptoRegistry) AddCEK(name string, entry CEKEntry) error
AddCEK registers CEKEntry under the given name, returns an error if a CEKEntry is already present for the given name.
This method should only be used if you need to register custom content encryption algorithms. Please see the following methods for helpers to register AWS provided algorithms:
RegisterAESGCMContentCipher (AES/GCM) RegisterAESCBCContentCipher (AES/CBC)func (*CryptoRegistry) AddPadder ¶
func (c *CryptoRegistry) AddPadder(name string, padder Padder) error
AddPadder registers Padder under the given name, returns an error if a Padder is already present for the given name.
This method should only be used to register custom padder implementations not provided by AWS.
func (*CryptoRegistry) AddWrap ¶func (c *CryptoRegistry) AddWrap(name string, entry WrapEntry) error
AddWrap registers the provided WrapEntry under the given name, returns an error if a WrapEntry is already present for the given name.
This method should only be used if you need to register custom wrapping algorithms. Please see the following methods for helpers to register AWS provided algorithms:
RegisterKMSContextWrapWithAnyCMK (kms+context) RegisterKMSContextWrapWithCMK (kms+context) RegisterKMSWrapWithAnyCMK (kms) RegisterKMSWrapWithCMK (kms)func (CryptoRegistry) GetCEK ¶
func (c CryptoRegistry) GetCEK(name string) (CEKEntry, bool)
GetCEK returns the CEKEntry identified by the given name. Returns false if the entry is not registered.
func (*CryptoRegistry) GetPadder ¶func (c *CryptoRegistry) GetPadder(name string) (Padder, bool)
GetPadder returns the Padder identified by name. If the Padder is not present, returns false.
func (CryptoRegistry) GetWrap ¶func (c CryptoRegistry) GetWrap(name string) (WrapEntry, bool)
GetWrap returns the WrapEntry identified by the given name. Returns false if the entry is not registered.
func (*CryptoRegistry) RemoveCEK ¶func (c *CryptoRegistry) RemoveCEK(name string) (CEKEntry, bool)
RemoveCEK removes the CEKEntry identified by name. If the entry is not present returns false.
func (*CryptoRegistry) RemovePadder ¶func (c *CryptoRegistry) RemovePadder(name string) (Padder, bool)
RemovePadder removes the Padder identified by name. If the entry is not present returns false.
func (*CryptoRegistry) RemoveWrap ¶func (c *CryptoRegistry) RemoveWrap(name string) (WrapEntry, bool)
RemoveWrap removes the WrapEntry identified by name. If the WrapEntry is not present returns false.
type Decrypter ¶type Decrypter interface {
Decrypt(io.Reader) io.Reader
}
Decrypter interface with only the decrypt method
type DecryptionClient ¶type DecryptionClient struct {
S3Client s3iface.S3API
LoadStrategy LoadStrategy
WrapRegistry map[string]WrapEntry
CEKRegistry map[string]CEKEntry
PadderRegistry map[string]Padder
}
DecryptionClient is an S3 crypto client. The decryption client will handle all get object requests from Amazon S3. Supported key wrapping algorithms:
*AWS KMS
Supported content ciphers:
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func NewDecryptionClient ¶func NewDecryptionClient(prov client.ConfigProvider, options ...func(*DecryptionClient)) *DecryptionClient
NewDecryptionClient instantiates a new S3 crypto client
Example:
sess := session.Must(session.NewSession())
svc := s3crypto.NewDecryptionClient(sess, func(svc *s3crypto.DecryptionClient{
// Custom client options here
}))
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func (*DecryptionClient) GetObject ¶func (c *DecryptionClient) GetObject(input *s3.GetObjectInput) (*s3.GetObjectOutput, error)
GetObject is a wrapper for GetObjectRequest
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func (*DecryptionClient) GetObjectRequest ¶func (c *DecryptionClient) GetObjectRequest(input *s3.GetObjectInput) (*request.Request, *s3.GetObjectOutput)
GetObjectRequest will make a request to s3 and retrieve the object. In this process decryption will be done. The SDK only supports V2 reads of KMS and GCM.
Example:
sess := session.Must(session.NewSession())
svc := s3crypto.NewDecryptionClient(sess)
req, out := svc.GetObjectRequest(&s3.GetObjectInput {
Key: aws.String("testKey"),
Bucket: aws.String("testBucket"),
})
err := req.Send()
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func (*DecryptionClient) GetObjectWithContext ¶func (c *DecryptionClient) GetObjectWithContext(ctx aws.Context, input *s3.GetObjectInput, opts ...request.Option) (*s3.GetObjectOutput, error)
GetObjectWithContext is a wrapper for GetObjectRequest with the additional context, and request options support.
GetObjectWithContext is the same as GetObject with the additional support for Context input parameters. The Context must not be nil. A nil Context will cause a panic. Use the Context to add deadlining, timeouts, etc. In the future this may create sub-contexts for individual underlying requests.
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
type DecryptionClientOptions ¶type DecryptionClientOptions struct {
S3Client s3iface.S3API
LoadStrategy LoadStrategy
CryptoRegistry *CryptoRegistry
}
DecryptionClientOptions is the configuration options for DecryptionClientV2.
type DecryptionClientV2 ¶type DecryptionClientV2 struct {
}
DecryptionClientV2 is an S3 crypto client. The decryption client will handle all get object requests from Amazon S3. Supported key wrapping algorithms:
Supported content ciphers:
func NewDecryptionClientV2(
prov client.ConfigProvider, cryptoRegistry *CryptoRegistry,
options ...func(clientOptions *DecryptionClientOptions),
) (*DecryptionClientV2, error)
NewDecryptionClientV2 instantiates a new DecryptionClientV2. The NewDecryptionClientV2 must be configured with the desired key wrapping and content encryption algorithms that are required to be read by the client. These algorithms are registered by providing the client a CryptoRegistry that has been constructed with the desired configuration. NewDecryptionClientV2 will return an error if no key wrapping or content encryption algorithms have been provided.
Example:
sess := session.Must(session.NewSession())
cr := s3crypto.NewCryptoRegistry()
if err := s3crypto.RegisterKMSContextWrapWithAnyCMK(cr, kms.New(sess)); err != nil {
panic(err) // handle error
}
if err := s3crypto.RegisterAESGCMContentCipher(cr); err != nil {
panic(err) // handle error
}
svc, err := s3crypto.NewDecryptionClientV2(sess, cr, func(o *s3crypto.DecryptionClientOptions) {
// Custom client options here
})
if err != nil {
panic(err) // handle error
}
â¹ Example (Migration00)
â¾ Example (Migration00)
ExampleNewDecryptionClientV2_migration00 provides a migration example for how users can migrate from the V1 Decryption Clients to the V2 Decryption Clients.
Code:
sess := session.Must(session.NewSession())
registry := s3crypto.NewCryptoRegistry()
kmsClient := kms.New(sess)
if err := s3crypto.RegisterKMSWrapWithAnyCMK(registry, kmsClient); err != nil {
fmt.Printf("error: %v", err)
return
}
if err := s3crypto.RegisterKMSContextWrapWithAnyCMK(registry, kmsClient); err != nil {
fmt.Printf("error: %v", err)
return
}
if err := s3crypto.RegisterAESCBCContentCipher(registry, s3crypto.AESCBCPadder); err != nil {
fmt.Printf("error: %v", err)
return
}
if err := s3crypto.RegisterAESGCMContentCipher(registry); err != nil {
fmt.Printf("error: %v", err)
return
}
decryptionClient, err := s3crypto.NewDecryptionClientV2(sess, registry)
if err != nil {
fmt.Printf("error: %v", err)
return
}
getObject, err := decryptionClient.GetObject(&s3.GetObjectInput{
Bucket: aws.String("your_bucket"),
Key: aws.String("your_key"),
})
if err != nil {
fmt.Printf("get object error: %v\n", err)
return
}
_, err = ioutil.ReadAll(getObject.Body)
if err != nil {
fmt.Printf("error reading object: %v\n", err)
}
fmt.Println("get object completed")
â¹ Example (Migration01)
â¾ Example (Migration01)
ExampleNewDecryptionClientV2_migration01 provides a more advanced migration example for how users can migrate from the V1 decryption client to the V2 decryption client using more complex client construction.
Code:
sess := session.Must(session.NewSession())
registry := s3crypto.NewCryptoRegistry()
kmsClient := kms.New(sess)
if err := s3crypto.RegisterKMSWrapWithAnyCMK(registry, kmsClient); err != nil {
fmt.Printf("error: %v", err)
return
}
if err := s3crypto.RegisterAESGCMContentCipher(registry); err != nil {
fmt.Printf("error: %v", err)
return
}
decryptionClient, err := s3crypto.NewDecryptionClientV2(sess, registry, func(o *s3crypto.DecryptionClientOptions) {
o.S3Client = s3.New(sess, &aws.Config{Region: aws.String("us-west-2")})
})
if err != nil {
fmt.Printf("error: %v", err)
return
}
getObject, err := decryptionClient.GetObject(&s3.GetObjectInput{
Bucket: aws.String("your_bucket"),
Key: aws.String("your_key"),
})
if err != nil {
fmt.Printf("get object error: %v\n", err)
return
}
_, err = ioutil.ReadAll(getObject.Body)
if err != nil {
fmt.Printf("error reading object: %v\n", err)
}
fmt.Println("get object completed")
func (*DecryptionClientV2) GetObject ¶
func (c *DecryptionClientV2) GetObject(input *s3.GetObjectInput) (*s3.GetObjectOutput, error)
GetObject is a wrapper for GetObjectRequest
func (*DecryptionClientV2) GetObjectRequest ¶func (c *DecryptionClientV2) GetObjectRequest(input *s3.GetObjectInput) (*request.Request, *s3.GetObjectOutput)
GetObjectRequest will make a request to s3 and retrieve the object. In this process decryption will be done. The SDK only supports V2 reads of KMS and GCM.
Example:
req, out := svc.GetObjectRequest(&s3.GetObjectInput {
Key: aws.String("testKey"),
Bucket: aws.String("testBucket"),
})
err := req.Send()
func (*DecryptionClientV2) GetObjectWithContext ¶
func (c *DecryptionClientV2) GetObjectWithContext(ctx aws.Context, input *s3.GetObjectInput, opts ...request.Option) (*s3.GetObjectOutput, error)
GetObjectWithContext is a wrapper for GetObjectRequest with the additional context, and request options support.
GetObjectWithContext is the same as GetObject with the additional support for Context input parameters. The Context must not be nil. A nil Context will cause a panic. Use the Context to add deadlining, timeouts, etc. In the future this may create sub-contexts for individual underlying requests.
type Encrypter ¶type Encrypter interface {
Encrypt(io.Reader) io.Reader
}
Encrypter interface with only the encrypt method
type EncryptionClient ¶type EncryptionClient struct {
S3Client s3iface.S3API
ContentCipherBuilder ContentCipherBuilder
SaveStrategy SaveStrategy
TempFolderPath string
MinFileSize int64
}
EncryptionClient is an S3 crypto client. By default the SDK will use Authentication mode which will use KMS for key wrapping and AES GCM for content encryption. AES GCM will load all data into memory. However, the rest of the content algorithms do not load the entire contents into memory.
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func NewEncryptionClient ¶func NewEncryptionClient(prov client.ConfigProvider, builder ContentCipherBuilder, options ...func(*EncryptionClient)) *EncryptionClient
NewEncryptionClient instantiates a new S3 crypto client
Example:
cmkID := "arn:aws:kms:region:000000000000:key/00000000-0000-0000-0000-000000000000" sess := session.Must(session.NewSession()) handler := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkID) svc := s3crypto.NewEncryptionClient(sess, s3crypto.AESGCMContentCipherBuilder(handler))
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func (*EncryptionClient) PutObject ¶func (c *EncryptionClient) PutObject(input *s3.PutObjectInput) (*s3.PutObjectOutput, error)
PutObject is a wrapper for PutObjectRequest
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func (*EncryptionClient) PutObjectRequest ¶func (c *EncryptionClient) PutObjectRequest(input *s3.PutObjectInput) (*request.Request, *s3.PutObjectOutput)
PutObjectRequest creates a temp file to encrypt the contents into. It then streams that data to S3.
Example:
svc := s3crypto.NewEncryptionClient(session.Must(session.NewSession()), s3crypto.AESGCMContentCipherBuilder(handler))
req, out := svc.PutObjectRequest(&s3.PutObjectInput {
Key: aws.String("testKey"),
Bucket: aws.String("testBucket"),
Body: strings.NewReader("test data"),
})
err := req.Send()
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
func (*EncryptionClient) PutObjectWithContext ¶func (c *EncryptionClient) PutObjectWithContext(ctx aws.Context, input *s3.PutObjectInput, opts ...request.Option) (*s3.PutObjectOutput, error)
PutObjectWithContext is a wrapper for PutObjectRequest with the additional context, and request options support.
PutObjectWithContext is the same as PutObject with the additional support for Context input parameters. The Context must not be nil. A nil Context will cause a panic. Use the Context to add deadlining, timeouts, etc. In the future this may create sub-contexts for individual underlying requests. PutObject is a wrapper for PutObjectRequest
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
type EncryptionClientOptions ¶type EncryptionClientOptions struct {
S3Client s3iface.S3API
ContentCipherBuilder ContentCipherBuilder
SaveStrategy SaveStrategy
TempFolderPath string
MinFileSize int64
}
EncryptionClientOptions is the configuration options for EncryptionClientV2
type EncryptionClientV2 ¶type EncryptionClientV2 struct {
}
EncryptionClientV2 is an S3 crypto client. By default the SDK will use Authentication mode which will use KMS for key wrapping and AES GCM for content encryption. AES GCM will load all data into memory. However, the rest of the content algorithms do not load the entire contents into memory.
func NewEncryptionClientV2 ¶func NewEncryptionClientV2(prov client.ConfigProvider, contentCipherBuilder ContentCipherBuilder, options ...func(clientOptions *EncryptionClientOptions),
) (
client *EncryptionClientV2, err error,
)
NewEncryptionClientV2 instantiates a new S3 crypto client. An error will be returned to the caller if the provided contentCipherBuilder has been deprecated or was constructed with a deprecated component.
Example:
cmkID := "arn:aws:kms:region:000000000000:key/00000000-0000-0000-0000-000000000000" sess := session.Must(session.NewSession()) var matdesc s3crypto.MaterialDescription handler := s3crypto.NewKMSContextKeyGenerator(kms.New(sess), cmkID, matdesc) svc := s3crypto.NewEncryptionClientV2(sess, s3crypto.AESGCMContentCipherBuilderV2(handler))
â¹ Example (Migration00)
â¾ Example (Migration00)
ExampleNewEncryptionClientV2_migration00 provides a migration example for how users can migrate from the V1 encryption client to the V2 encryption client. This example demonstrates how an application using the `kms` key wrap algorithm with `AES/CBC/PKCS5Padding` can migrate their application to `kms+context` key wrapping with `AES/GCM/NoPadding` content encryption.
Code:
sess := session.Must(session.NewSession())
kmsClient := kms.New(sess)
cmkID := "1234abcd-12ab-34cd-56ef-1234567890ab"
cipherDataGenerator := s3crypto.NewKMSContextKeyGenerator(kmsClient, cmkID, s3crypto.MaterialDescription{})
contentCipherBuilder := s3crypto.AESGCMContentCipherBuilderV2(cipherDataGenerator)
encryptionClient, err := s3crypto.NewEncryptionClientV2(sess, contentCipherBuilder)
if err != nil {
fmt.Printf("failed to construct encryption client: %v", err)
return
}
_, err = encryptionClient.PutObject(&s3.PutObjectInput{
Bucket: aws.String("your_bucket"),
Key: aws.String("your_key"),
Body: bytes.NewReader([]byte("your content")),
})
if err != nil {
fmt.Printf("put object error: %v\n", err)
return
}
fmt.Println("put object completed")
â¹ Example (Migration01)
â¾ Example (Migration01)
ExampleNewEncryptionClientV2_migration01 provides a more advanced migration example for how users can migrate from the V1 encryption client to the V2 encryption client using more complex client construction.
Code:
sess := session.Must(session.NewSession())
kmsClient := kms.New(sess)
cmkID := "1234abcd-12ab-34cd-56ef-1234567890ab"
cipherDataGenerator := s3crypto.NewKMSContextKeyGenerator(kmsClient, cmkID, s3crypto.MaterialDescription{})
contentCipherBuilder := s3crypto.AESGCMContentCipherBuilderV2(cipherDataGenerator)
encryptionClient, err := s3crypto.NewEncryptionClientV2(sess, contentCipherBuilder, func(o *s3crypto.EncryptionClientOptions) {
o.S3Client = s3.New(sess, &aws.Config{Region: aws.String("us-west-2")})
})
if err != nil {
fmt.Printf("failed to construct encryption client: %v", err)
return
}
_, err = encryptionClient.PutObject(&s3.PutObjectInput{
Bucket: aws.String("your_bucket"),
Key: aws.String("your_key"),
Body: bytes.NewReader([]byte("your content")),
})
if err != nil {
fmt.Printf("put object error: %v\n", err)
return
}
fmt.Println("put object completed")
func (*EncryptionClientV2) PutObject ¶
func (c *EncryptionClientV2) PutObject(input *s3.PutObjectInput) (*s3.PutObjectOutput, error)
PutObject is a wrapper for PutObjectRequest
func (*EncryptionClientV2) PutObjectRequest ¶func (c *EncryptionClientV2) PutObjectRequest(input *s3.PutObjectInput) (*request.Request, *s3.PutObjectOutput)
PutObjectRequest creates a temp file to encrypt the contents into. It then streams that data to S3.
Example:
req, out := svc.PutObjectRequest(&s3.PutObjectInput {
Key: aws.String("testKey"),
Bucket: aws.String("testBucket"),
Body: strings.NewReader("test data"),
})
err := req.Send()
func (*EncryptionClientV2) PutObjectWithContext ¶
func (c *EncryptionClientV2) PutObjectWithContext(ctx aws.Context, input *s3.PutObjectInput, opts ...request.Option) (*s3.PutObjectOutput, error)
PutObjectWithContext is a wrapper for PutObjectRequest with the additional context, and request options support.
PutObjectWithContext is the same as PutObject with the additional support for Context input parameters. The Context must not be nil. A nil Context will cause a panic. Use the Context to add deadlining, timeouts, etc. In the future this may create sub-contexts for individual underlying requests.
type Envelope ¶type Envelope struct {
IV string `json:"x-amz-iv"`
CipherKey string `json:"x-amz-key-v2"`
MatDesc string `json:"x-amz-matdesc"`
WrapAlg string `json:"x-amz-wrap-alg"`
CEKAlg string `json:"x-amz-cek-alg"`
TagLen string `json:"x-amz-tag-len"`
UnencryptedMD5 string `json:"-"`
UnencryptedContentLen string `json:"x-amz-unencrypted-content-length"`
}
Envelope encryption starts off by generating a random symmetric key using AES GCM. The SDK generates a random IV based off the encryption cipher chosen. The master key that was provided, whether by the user or KMS, will be used to encrypt the randomly generated symmetric key and base64 encode the iv. This will allow for decryption of that same data later.
func (*Envelope) UnmarshalJSON ¶func (e *Envelope) UnmarshalJSON(value []byte) error
UnmarshalJSON unmarshalls the given JSON bytes into Envelope
type HeaderV2LoadStrategy struct{}
HeaderV2LoadStrategy will load the envelope from the metadata
func (load HeaderV2LoadStrategy) Load(req *request.Request) (Envelope, error)
Load from a given object's header
type HeaderV2SaveStrategy struct{}
HeaderV2SaveStrategy will save the metadata of the crypto contents to the header of the object.
func (strat HeaderV2SaveStrategy) Save(env Envelope, req *request.Request) error
Save will save the envelope to the request's header.
type LoadStrategy ¶type LoadStrategy interface {
Load(*request.Request) (Envelope, error)
}
LoadStrategy ...
type MaterialDescription ¶type MaterialDescription map[string]*string
MaterialDescription is used to identify how and what master key has been used.
func (MaterialDescription) Clone ¶func (md MaterialDescription) Clone() (clone MaterialDescription)
Clone returns a copy of the MaterialDescription
type Padder ¶type Padder interface {
Pad([]byte, int) ([]byte, error)
Unpad([]byte) ([]byte, error)
Name() string
}
Padder handles padding of crypto data
func NewPKCS7Padder ¶func NewPKCS7Padder(blockSize int) Padder
NewPKCS7Padder follows the RFC 2315: https://www.ietf.org/rfc/rfc2315.txt PKCS7 padding is subject to side-channel attacks and timing attacks. For the most secure data, use an authenticated crypto algorithm.
type S3LoadStrategy ¶type S3LoadStrategy struct {
Client *s3.S3
InstructionFileSuffix string
}
S3LoadStrategy will load the instruction file from s3
func (S3LoadStrategy) Load ¶func (load S3LoadStrategy) Load(req *request.Request) (Envelope, error)
Load from a given instruction file suffix
type S3SaveStrategy ¶type S3SaveStrategy struct {
Client *s3.S3
InstructionFileSuffix string
}
S3SaveStrategy will save the metadata to a separate instruction file in S3
func (S3SaveStrategy) Save ¶func (strat S3SaveStrategy) Save(env Envelope, req *request.Request) error
Save will save the envelope contents to s3.
type SaveStrategy ¶type SaveStrategy interface {
Save(Envelope, *request.Request) error
}
SaveStrategy is how the data's metadata wants to be saved
type WrapEntry ¶type WrapEntry func(Envelope) (CipherDataDecrypter, error)
WrapEntry is builder that return a proper key decrypter and error
func NewKMSWrapEntry ¶func NewKMSWrapEntry(kmsClient kmsiface.KMSAPI) WrapEntry
NewKMSWrapEntry builds returns a new KMS key provider and its decrypt handler.
Example:
sess := session.Must(session.NewSession())
customKMSClient := kms.New(sess)
decryptHandler := s3crypto.NewKMSWrapEntry(customKMSClient)
svc := s3crypto.NewDecryptionClient(sess, func(svc *s3crypto.DecryptionClient) {
svc.WrapRegistry[s3crypto.KMSWrap] = decryptHandler
}))
Deprecated: This feature is in maintenance mode, no new updates will be released. Please see https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html for more information.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4