I'm trying to test the most basic use cases around encryption/decryption with AWS S3 and AWS java SDK (trying both v1 and v2).
So this is what I'm doing :
I upload a small json file using aws console, and then I check that in Properties > crypt, "AWS-KMS" is selected and my key alias is selected. I assume this tells me the file is encrypted with my key, but I have no way to check this, since if I try to open the file using aws console, it's in clear text.
I try to download the file using various methods, and I expect to get an encrypted file when I use the most basic method.
So by using this client (sdk v2) :
@Bean
public S3Client s3Clientv2(AppProperties appProperties, CustomAwsCredentialsProvider customAwsCredentialsProvider) {
return S3Client.builder()
.httpClientBuilder(httpClientBuilder)
.credentialsProvider(customAwsCredentialsProvider)
.region(Region.EU_WEST_3)
.build();
}
and this download method :
public void downloadFile(String bucket, String key) {
s3Client.getObject(GetObjectRequest.builder().bucket(bucket).key(key).build(), ResponseTransformer.toFile(Paths.get("test_aws.json")));
}
I expected to get an encrypted file, but it was not.
Then I tried to use a client able to "encrypt/decrypt" by itself "Any objects you get from Amazon S3 using this client are automatically decrypted" source : https://docs.aws.amazon.com/en_pv/sdk-for-java/v1/developer-guide/examples-crypto-kms.html
AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder
.standard()
.withRegion(Regions.US_WEST_2)
.withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly).withAwsKmsRegion(Region.getRegion(Regions.US_WEST_2)))
// Can either be Key ID or alias (prefixed with 'alias/')
.withEncryptionMaterials(new KMSEncryptionMaterialsProvider("alias/s3-kms-key"))
.build();
But using :
S3Object file = s3Encryption.getObject(new GetObjectRequest(bucket, key));
with this client call gets me a warning : "Unable to detect encryption information for object '%s' in bucket '%s'. Returning object without decryption."
- So what am I doing wrong here ?
- How can I check my file is really encrypted ?
- What would be the right config to download it and decrypt it without a "file not encrypted" warning ?
Update : of course I've checked the object metadata, which do contain the KMS information and the KMS key id, but the encryption client is expecting some other informations about this :
/** Initialization vector (IV) header that is used in the symmetric and envelope encryption mechanisms */
public static final String CRYPTO_IV = "x-amz-iv";
and this :
/**
* Encrypted symmetric key header that is used in the Encryption Only (EO) envelope
* encryption mechanism.
*/
public static final String CRYPTO_KEY = "x-amz-key";
