/** * @deprecated use {@link AmazonS3EncryptionClientBuilder#withEncryptionMaterials(EncryptionMaterialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCredentials(AWSCredentialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCryptoConfiguration(CryptoConfiguration)} and * {@link AmazonS3EncryptionClientBuilder#withClientConfiguration(ClientConfiguration)} and * {@link AmazonS3EncryptionClientBuilder#withMetricsCollector(RequestMetricCollector)} and * {@link AmazonS3EncryptionClientBuilder#withKmsClient(AWSKMS)} */ @Deprecated public AmazonS3EncryptionClient(AWSKMSClient kms, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig, RequestMetricCollector requestMetricCollector) { super(credentialsProvider, clientConfig, requestMetricCollector); assertParameterNotNull(kekMaterialsProvider, "EncryptionMaterialsProvider parameter must not be null."); assertParameterNotNull(cryptoConfig, "CryptoConfiguration parameter must not be null."); this.isKMSClientInternal = kms == null; this.kms = isKMSClientInternal ? newAWSKMSClient(credentialsProvider, clientConfig, cryptoConfig, requestMetricCollector) : kms; this.crypto = new CryptoModuleDispatcher(this.kms, new S3DirectImpl(), credentialsProvider, kekMaterialsProvider, cryptoConfig); }
/** * Uses AES/GCM with AESWrap key wrapping to encrypt the key. Uses v2 metadata schema. Note that authenticated * encryption requires the bouncy castle provider to be on the classpath. Also, for authenticated encryption the size * of the data can be no longer than 64 GB. */ public void authenticatedEncryption_CustomerManagedKey() throws NoSuchAlgorithmException { SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey(); AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder .standard() .withRegion(Regions.US_WEST_2) .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)) .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))) .build(); AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.defaultClient(); s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents"); s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents"); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY)); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY)); }
/** * For ranged GET we do not use authenticated encryption since we aren't reading the entire message and can't produce the * MAC. Instead we use AES/CTR, an unauthenticated encryption algorithm. If {@link CryptoMode#StrictAuthenticatedEncryption} * is enabled, ranged GETs will not be allowed since they do not use authenticated encryption.. */ public void authenticatedEncryption_RangeGet_CustomerManagedKey() throws NoSuchAlgorithmException { SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey(); AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder .standard() .withRegion(Regions.US_WEST_2) .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)) .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))) .build(); AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.defaultClient(); s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents"); s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents"); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY)); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY)); }
/** * Same as {@link #authenticatedEncryption_CustomerManagedKey()} except uses an asymmetric key pair and * RSA/ECB/OAEPWithSHA-256AndMGF1Padding as the key wrapping algorithm. */ public void authenticatedEncryption_CustomerManagedAsymmetricKey() throws NoSuchAlgorithmException { KeyPair keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair(); AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder .standard() .withRegion(Regions.US_WEST_2) .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)) .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(keyPair))) .build(); AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.defaultClient(); s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents"); s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents"); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY)); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY)); }
/** * Uses AES/GCM with AESWrap key wrapping to encrypt the key. Uses v2 metadata schema. The only difference between this and * {@link #authenticatedEncryption_CustomerManagedKey()} is that attempting to retrieve an object non * encrypted with AES/GCM will thrown an exception instead of falling back to encryption only or plaintext GET. */ public void strictAuthenticatedEncryption_CustomerManagedKey() throws NoSuchAlgorithmException { SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey(); AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder .standard() .withRegion(Regions.US_WEST_2) .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption)) .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))) .build(); AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.defaultClient(); s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents"); s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents"); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY)); try { s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY); } catch (SecurityException e) { // Strict authenticated encryption will throw an exception if an object is not encrypted with AES/GCM System.err.println(NON_ENCRYPTED_KEY + " was not encrypted with AES/GCM"); } }
/** * Strict authenticated encryption mode does not support ranged GETs. This is because we must use AES/CTR for ranged * GETs which is not an authenticated encryption algorithm. To do a partial get using authenticated encryption you have to * get the whole object and filter to the data you want. */ public void strictAuthenticatedEncryption_RangeGet_CustomerManagedKey() throws NoSuchAlgorithmException { SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey(); AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder .standard() .withRegion(Regions.US_WEST_2) .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.StrictAuthenticatedEncryption)) .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))) .build(); s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents"); try { s3Encryption.getObject(new GetObjectRequest(BUCKET_NAME, ENCRYPTED_KEY).withRange(0, 2)); } catch (SecurityException e) { System.err.println("Range GET is not supported with authenticated encryption"); } }
/** * Uses AES/CBC algorithm, no key wrapping. */ public void encryptionOnly_CustomerManagedKey() throws NoSuchAlgorithmException { SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey(); AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder .standard() .withRegion(Regions.US_WEST_2) .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly)) .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))) .build(); AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.defaultClient(); s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents"); s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents"); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY)); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY)); }
/** * Uses an asymmetric key pair instead of a symmetric key. Note this does not change the algorithm used to encrypt * the content, that will still be a symmetric key algorithm (AES/CBC in this case) using the derived CEK. It does impact * the algorithm used to encrypt the CEK, in this case we use RSA/ECB/OAEPWithSHA-256AndMGF1Padding. */ public void encryptionOnly_CustomerManagedAsymetricKey() throws NoSuchAlgorithmException { KeyPair keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair(); AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder .standard() .withRegion(Regions.US_WEST_2) .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly)) .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(keyPair))) .build(); AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.defaultClient(); s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents"); s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents"); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY)); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY)); }
/** * This uses the V2 metadata schema with a key wrap algorithm of 'kms' and a CEK algorithm of AES/CBC/PKCS5Padding. */ public void encryptionOnly_KmsManagedKey() throws NoSuchAlgorithmException { AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder .standard() .withRegion(Regions.US_WEST_2) .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly)) // Can either be Key ID or alias (prefixed with 'alias/') .withEncryptionMaterials(new KMSEncryptionMaterialsProvider("alias/s3-kms-key")) .build(); AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.defaultClient(); s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents"); s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents"); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY)); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY)); }
/** * This uses the V2 metadata schema with a key wrap algorithm of 'kms' and a CEK algorithm of AES/GCM/NoPadding. */ public void authenticatedEncryption_KmsManagedKey() throws NoSuchAlgorithmException { AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder .standard() .withRegion(Regions.US_WEST_2) .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)) // Can either be Key ID or alias (prefixed with 'alias/') .withEncryptionMaterials(new KMSEncryptionMaterialsProvider("alias/s3-kms-key")) .build(); AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.defaultClient(); s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents"); s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents"); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, ENCRYPTED_KEY)); System.out.println(s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY)); }
/** * Same as authenticatedEncryption_KmsManagedKey except throws an exception when trying to get objects not encrypted with * AES/GCM. */ public void strictAuthenticatedEncryption_KmsManagedKey() throws NoSuchAlgorithmException { AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder .standard() .withRegion(Regions.US_WEST_2) .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.AuthenticatedEncryption)) // Can either be Key ID or alias (prefixed with 'alias/') .withEncryptionMaterials(new KMSEncryptionMaterialsProvider("alias/s3-kms-key")) .build(); AmazonS3 s3NonEncrypt = AmazonS3ClientBuilder.defaultClient(); s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents"); s3NonEncrypt.putObject(BUCKET_NAME, NON_ENCRYPTED_KEY, "some other contents"); try { s3Encryption.getObjectAsString(BUCKET_NAME, NON_ENCRYPTED_KEY); } catch (SecurityException e) { // Strict authenticated encryption will throw an exception if an object is not encrypted with AES/GCM System.err.println(NON_ENCRYPTED_KEY + " was not encrypted with AES/GCM"); } }
private S3StoreService getEncryptedStoreServiceForRegion(String region) { Optional<BackupRegionInfo> backupRegionInfo = configStore.getBackupInfoForRegion(region); if (! backupRegionInfo.isPresent()) { String kmsCmkId = provisionKmsCmkForBackupRegion(region); String backupBucket = provisionBackupBucketForRegion(region); configStore.storeBackupInfoForRegion(region, backupBucket, kmsCmkId); backupRegionInfo = Optional.of(new BackupRegionInfo(backupBucket, kmsCmkId)); } KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(backupRegionInfo.get().getKmsCmkId()); AmazonS3Encryption encryptionClient = AmazonS3EncryptionClientBuilder.standard() .withCredentials(getAWSCredentialsProviderChain()) .withEncryptionMaterials(materialProvider) .withCryptoConfiguration(new CryptoConfiguration() .withAwsKmsRegion(Region.getRegion(Regions.fromName(region)))) .withRegion(region) .build(); S3StoreService storeService = new S3StoreService(encryptionClient, backupRegionInfo.get().getS3Bucket(), ""); regionToEncryptedStoreServiceMap.put(region, storeService); return storeService; }
private void initEncryptedConfigStoreService() { if (encryptedConfigStoreService == null) { final Environment environment = getEnvironmentData(); KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(environment.getConfigKeyId()); AmazonS3EncryptionClient encryptionClient = new AmazonS3EncryptionClient( new DefaultAWSCredentialsProviderChain(), materialProvider, new CryptoConfiguration() .withAwsKmsRegion(Region.getRegion(environmentMetadata.getRegions()))) .withRegion(Region.getRegion(environmentMetadata.getRegions())); encryptedConfigStoreService = new S3StoreService(encryptionClient, environmentMetadata.getBucketName(), ""); } }
AmazonS3EncryptionClientParamsWrapper(AwsSyncClientParams getClientParams, S3ClientOptions getS3ClientOptions, EncryptionMaterialsProvider encryptionMaterials, CryptoConfiguration cryptoConfiguration, AWSKMS kms) { this.encryptionMaterials = encryptionMaterials; this.cryptoConfiguration = cryptoConfiguration; this.kms = kms; this.getClientParams = getClientParams; this.getS3ClientOptions = getS3ClientOptions; }
/** * Construct a synchronous implementation of AmazonS3Encryption using the current builder configuration. * * @return Fully configured implementation of AmazonS3Encryption. */ @Override protected AmazonS3Encryption build(AwsSyncClientParams clientParams) { return new AmazonS3EncryptionClient( new AmazonS3EncryptionClientParamsWrapper(clientParams, resolveS3ClientOptions(), encryptionMaterials, cryptoConfig != null ? cryptoConfig : new CryptoConfiguration(), kms)); }
/** * @param cryptoConfig a read-only copy of the crypto configuration. */ S3CryptoModuleAEStrict(AWSKMS kms, S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) { super(kms, s3, credentialsProvider, encryptionMaterialsProvider, cryptoConfig); if (cryptoConfig.getCryptoMode() != StrictAuthenticatedEncryption) throw new IllegalArgumentException(); }
/** * @param cryptoConfig a read-only copy of the crypto configuration. */ protected S3CryptoModuleBase(AWSKMS kms, S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig) { if (!cryptoConfig.isReadOnly()) throw new IllegalArgumentException("The cryto configuration parameter is required to be read-only"); this.kekMaterialsProvider = kekMaterialsProvider; this.s3 = s3; this.cryptoConfig = cryptoConfig; this.cryptoScheme = S3CryptoScheme.from(cryptoConfig.getCryptoMode()); this.contentCryptoScheme = cryptoScheme.getContentCryptoScheme(); this.kms = kms; }
/** * For testing purposes only. */ protected S3CryptoModuleBase(S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, CryptoConfiguration cryptoConfig) { this.kekMaterialsProvider = kekMaterialsProvider; this.s3 = s3; this.cryptoConfig = cryptoConfig; this.cryptoScheme = S3CryptoScheme.from(cryptoConfig.getCryptoMode()); this.contentCryptoScheme = cryptoScheme.getContentCryptoScheme(); this.kms = null; }
/** * @param cryptoConfig a read-only copy of the crypto configuration */ S3CryptoModuleEO(AWSKMS kms, S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) { super(kms, s3, credentialsProvider, encryptionMaterialsProvider, cryptoConfig); if (cryptoConfig.getCryptoMode() != EncryptionOnly) throw new IllegalArgumentException(); }
/** * Used for testing purposes only. */ S3CryptoModuleEO(S3Direct s3, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) { this(null, s3, new DefaultAWSCredentialsProviderChain(), encryptionMaterialsProvider, cryptoConfig); }
/** * Used for testing purposes only. */ S3CryptoModuleEO(AWSKMS kms, S3Direct s3, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) { this(kms, s3, new DefaultAWSCredentialsProviderChain(), encryptionMaterialsProvider, cryptoConfig); }
/** * @param cryptoConfig a read-only copy of the crypto configuration. */ S3CryptoModuleAE(AWSKMS kms, S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) { super(kms, s3, credentialsProvider, encryptionMaterialsProvider, cryptoConfig); CryptoMode mode = cryptoConfig.getCryptoMode(); if (mode != StrictAuthenticatedEncryption && mode != AuthenticatedEncryption) { throw new IllegalArgumentException(); } }
/** * Used for testing purposes only. */ S3CryptoModuleAE(S3Direct s3, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) { this(null, s3, new DefaultAWSCredentialsProviderChain(), encryptionMaterialsProvider, cryptoConfig); }
/** * Used for testing purposes only. */ S3CryptoModuleAE(AWSKMS kms, S3Direct s3, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) { this(kms, s3, new DefaultAWSCredentialsProviderChain(), encryptionMaterialsProvider, cryptoConfig); }
/** * @deprecated use {@link AmazonS3EncryptionClientBuilder#withEncryptionMaterials(EncryptionMaterialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCredentials(AWSCredentialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCryptoConfiguration(CryptoConfiguration)} and * {@link AmazonS3EncryptionClientBuilder#withClientConfiguration(ClientConfiguration)} */ @Deprecated public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig) { this(new StaticCredentialsProvider(credentials), encryptionMaterialsProvider, clientConfig, cryptoConfig); }
/** * @deprecated use {@link AmazonS3EncryptionClientBuilder#withEncryptionMaterials(EncryptionMaterialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCredentials(AWSCredentialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCryptoConfiguration(CryptoConfiguration)} and * {@link AmazonS3EncryptionClientBuilder#withClientConfiguration(ClientConfiguration)} */ @Deprecated public AmazonS3EncryptionClient( AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig) { this(credentialsProvider, kekMaterialsProvider, clientConfig, cryptoConfig, null // request metric collector ); }
/** * @deprecated use {@link AmazonS3EncryptionClientBuilder#withEncryptionMaterials(EncryptionMaterialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCredentials(AWSCredentialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCryptoConfiguration(CryptoConfiguration)} and * {@link AmazonS3EncryptionClientBuilder#withClientConfiguration(ClientConfiguration)} and * {@link AmazonS3EncryptionClientBuilder#withMetricsCollector(RequestMetricCollector)} */ @Deprecated public AmazonS3EncryptionClient( AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig, RequestMetricCollector requestMetricCollector) { this(null, // KMS client credentialsProvider, kekMaterialsProvider, clientConfig, cryptoConfig, requestMetricCollector); }
/** * Creates and returns a new instance of AWS KMS client in the case when * an explicit AWS KMS client is not specified. */ private AWSKMSClient newAWSKMSClient( AWSCredentialsProvider credentialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig, RequestMetricCollector requestMetricCollector ) { final AWSKMSClient kmsClient = new AWSKMSClient( credentialsProvider, clientConfig, requestMetricCollector); final Region kmsRegion = cryptoConfig.getAwsKmsRegion(); if (kmsRegion != null) kmsClient.setRegion(kmsRegion); return kmsClient; }
public CmsEnvPropertiesLoader(final String bucketName, final String region, final String kmsKeyId) { final KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(kmsKeyId); this.s3Client = new AmazonS3EncryptionClient( new DefaultAWSCredentialsProviderChain(), materialProvider, new CryptoConfiguration() .withAwsKmsRegion(Region.getRegion( Regions.fromName(region)))) .withRegion(Region.getRegion(Regions.fromName(region))); this.bucketName = bucketName; }
/** * Non-authenticated encryption schemes can do range GETs without an issue. */ public void encryptionOnly_RangeGet_CustomerManagedKey() throws NoSuchAlgorithmException { SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey(); AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder .standard() .withRegion(Regions.US_WEST_2) .withCryptoConfiguration(new CryptoConfiguration(CryptoMode.EncryptionOnly)) .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(secretKey))) .build(); s3Encryption.putObject(BUCKET_NAME, ENCRYPTED_KEY, "some contents"); System.out.println(s3Encryption.getObject(new GetObjectRequest(BUCKET_NAME, ENCRYPTED_KEY) .withRange(0, 2))); }
private S3StoreService getS3EncryptionStoreService(String cmkId, RestoreCerberusBackupCommand command) { Region region = Region.getRegion(Regions.fromName(command.getS3Region())); KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(cmkId); AmazonS3EncryptionClient encryptionClient = new AmazonS3EncryptionClient( new DefaultAWSCredentialsProviderChain(), materialProvider, new CryptoConfiguration() .withAwsKmsRegion(region)) .withRegion(region); return new S3StoreService(encryptionClient, command.getS3Bucket(), command.getS3Prefix()); }
@Override CryptoConfiguration getCryptoConfiguration() { return cryptoConfiguration; }
public CryptoModuleDispatcher(AWSKMS kms, S3Direct s3, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) { cryptoConfig = cryptoConfig.clone(); // make a clone CryptoMode cryptoMode = cryptoConfig.getCryptoMode(); if (cryptoMode == null) { cryptoMode = EncryptionOnly; cryptoConfig.setCryptoMode(cryptoMode); // defaults to EO } cryptoConfig = cryptoConfig.readOnly(); // make read-only this.defaultCryptoMode = cryptoConfig.getCryptoMode(); switch(this.defaultCryptoMode) { case StrictAuthenticatedEncryption: this.ae = new S3CryptoModuleAEStrict(kms, s3, credentialsProvider, encryptionMaterialsProvider, cryptoConfig); this.eo = null; break; case AuthenticatedEncryption: this.ae = new S3CryptoModuleAE(kms, s3, credentialsProvider, encryptionMaterialsProvider, cryptoConfig); this.eo = null; break; case EncryptionOnly: this.eo = new S3CryptoModuleEO(kms, s3, credentialsProvider, encryptionMaterialsProvider, cryptoConfig); CryptoConfiguration aeConfig = cryptoConfig.clone(); try { aeConfig.setCryptoMode(AuthenticatedEncryption); } catch(UnsupportedOperationException ex) { // BC not available during runtime; but EO can still work. // Hence ignoring. } this.ae = new S3CryptoModuleAE(kms, s3, credentialsProvider, encryptionMaterialsProvider, aeConfig.readOnly()); break; default: throw new IllegalStateException(); } }
/** * <p> * Constructs a new Amazon S3 Encryption client that will make <b>anonymous</b> * requests to Amazon S3. If {@link #getObject(String, String)} is called, * the object contents will be decrypted with the encryption materials provided. * </p> * <p> * Only a subset of the Amazon S3 API will work with anonymous * <i>(i.e. unsigned)</i> requests, but this can prove useful in some situations. * For example: * <ul> * <li>If an Amazon S3 bucket has {@link Permission#Read} permission for the * {@link GroupGrantee#AllUsers} group, anonymous clients can call * {@link #listObjects(String)} to see what objects are stored in a bucket.</li> * <li>If an object has {@link Permission#Read} permission for the * {@link GroupGrantee#AllUsers} group, anonymous clients can call * {@link #getObject(String, String)} and * {@link #getObjectMetadata(String, String)} to pull object content and * metadata.</li> * <li>If a bucket has {@link Permission#Write} permission for the * {@link GroupGrantee#AllUsers} group, anonymous clients can upload objects * to the bucket.</li> * </ul> * </p> * * @param encryptionMaterialsProvider * A provider for the encryption materials to be used to encrypt and decrypt data. * @deprecated use {@link AmazonS3EncryptionClientBuilder#withEncryptionMaterials(EncryptionMaterialsProvider)} */ @Deprecated public AmazonS3EncryptionClient( EncryptionMaterialsProvider encryptionMaterialsProvider) { this(new StaticCredentialsProvider(new AnonymousAWSCredentials()), encryptionMaterialsProvider, configFactory.getConfig(), new CryptoConfiguration()); }
/** * <p> * Constructs a new Amazon S3 Encryption client that will make <b>anonymous</b> * requests to Amazon S3. If {@link #getObject(String, String)} is called, * the object contents will be decrypted with the encryption materials provided. * The encryption implementation of the provided crypto provider will be * used to encrypt and decrypt data. * </p> * <p> * Only a subset of the Amazon S3 API will work with anonymous * <i>(i.e. unsigned)</i> requests, but this can prove useful in some situations. * For example: * <ul> * <li>If an Amazon S3 bucket has {@link Permission#Read} permission for the * {@link GroupGrantee#AllUsers} group, anonymous clients can call * {@link #listObjects(String)} to see what objects are stored in a bucket.</li> * <li>If an object has {@link Permission#Read} permission for the * {@link GroupGrantee#AllUsers} group, anonymous clients can call * {@link #getObject(String, String)} and * {@link #getObjectMetadata(String, String)} to pull object content and * metadata.</li> * <li>If a bucket has {@link Permission#Write} permission for the * {@link GroupGrantee#AllUsers} group, anonymous clients can upload objects * to the bucket.</li> * </ul> * </p> * * @param encryptionMaterials * The encryption materials to be used to encrypt and decrypt data. * @param cryptoConfig * The crypto configuration whose parameters will be used to encrypt and decrypt data. * @deprecated use {@link AmazonS3EncryptionClientBuilder#withEncryptionMaterials(EncryptionMaterialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCryptoConfiguration(CryptoConfiguration)} */ @Deprecated public AmazonS3EncryptionClient(EncryptionMaterials encryptionMaterials, CryptoConfiguration cryptoConfig) { this(new StaticEncryptionMaterialsProvider(encryptionMaterials), cryptoConfig); }
/** * <p> * Constructs a new Amazon S3 Encryption client that will make <b>anonymous</b> * requests to Amazon S3. If {@link #getObject(String, String)} is called, * the object contents will be decrypted with the encryption materials provided. * The encryption implementation of the provided crypto provider will be * used to encrypt and decrypt data. * </p> * <p> * Only a subset of the Amazon S3 API will work with anonymous * <i>(i.e. unsigned)</i> requests, but this can prove useful in some situations. * For example: * <ul> * <li>If an Amazon S3 bucket has {@link Permission#Read} permission for the * {@link GroupGrantee#AllUsers} group, anonymous clients can call * {@link #listObjects(String)} to see what objects are stored in a bucket.</li> * <li>If an object has {@link Permission#Read} permission for the * {@link GroupGrantee#AllUsers} group, anonymous clients can call * {@link #getObject(String, String)} and * {@link #getObjectMetadata(String, String)} to pull object content and * metadata.</li> * <li>If a bucket has {@link Permission#Write} permission for the * {@link GroupGrantee#AllUsers} group, anonymous clients can upload objects * to the bucket.</li> * </ul> * </p> * * @param encryptionMaterialsProvider * A provider for the encryption materials to be used to encrypt and decrypt data. * @param cryptoConfig * The crypto configuration whose parameters will be used to encrypt and decrypt data. * @deprecated use {@link AmazonS3EncryptionClientBuilder#withEncryptionMaterials(EncryptionMaterialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCryptoConfiguration(CryptoConfiguration)} */ @Deprecated public AmazonS3EncryptionClient( EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) { this(new StaticCredentialsProvider(new AnonymousAWSCredentials()), encryptionMaterialsProvider, configFactory.getConfig(), cryptoConfig); }
/** * <p> * Constructs a new Amazon S3 Encryption client using the specified AWS credentials to * access Amazon S3. Object contents will be encrypted and decrypted with the encryption * materials provided. * </p> * * @param credentials * The AWS credentials to use when making requests to Amazon S3 * with this client. * @param encryptionMaterialsProvider * A provider for the encryption materials to be used to encrypt and decrypt data. * @deprecated use {@link AmazonS3EncryptionClientBuilder#withEncryptionMaterials(EncryptionMaterialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCredentials(AWSCredentialsProvider)} */ @Deprecated public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider) { this(credentials, encryptionMaterialsProvider, configFactory.getConfig(), new CryptoConfiguration()); }
/** * <p> * Constructs a new Amazon S3 Encryption client using the specified AWS credentials to * access Amazon S3. Object contents will be encrypted and decrypted with the encryption * materials provided. * </p> * * @param credentialsProvider * The AWS credentials provider which will provide credentials * to authenticate requests with AWS services. * @param encryptionMaterialsProvider * A provider for the encryption materials to be used to encrypt and decrypt data. * @deprecated use {@link AmazonS3EncryptionClientBuilder#withEncryptionMaterials(EncryptionMaterialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCredentials(AWSCredentialsProvider)} */ @Deprecated public AmazonS3EncryptionClient( AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider) { this(credentialsProvider, encryptionMaterialsProvider, configFactory.getConfig(), new CryptoConfiguration()); }
/** * <p> * Constructs a new Amazon S3 Encryption client using the specified AWS credentials to * access Amazon S3. Object contents will be encrypted and decrypted with the encryption * materials provided. The encryption implementation of the provided crypto provider will * be used to encrypt and decrypt data. * </p> * * @param credentials * The AWS credentials to use when making requests to Amazon S3 * with this client. * @param encryptionMaterials * The encryption materials to be used to encrypt and decrypt data. * @param cryptoConfig * The crypto configuration whose parameters will be used to encrypt and decrypt data. * @deprecated use {@link AmazonS3EncryptionClientBuilder#withEncryptionMaterials(EncryptionMaterialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCredentials(AWSCredentialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCryptoConfiguration(CryptoConfiguration)} */ @Deprecated public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterials encryptionMaterials, CryptoConfiguration cryptoConfig) { this(credentials, new StaticEncryptionMaterialsProvider( encryptionMaterials), cryptoConfig); }
/** * <p> * Constructs a new Amazon S3 Encryption client using the specified AWS credentials to * access Amazon S3. Object contents will be encrypted and decrypted with the encryption * materials provided. The encryption implementation of the provided crypto provider will * be used to encrypt and decrypt data. * </p> * * @param credentials * The AWS credentials to use when making requests to Amazon S3 * with this client. * @param encryptionMaterialsProvider * A provider for the encryption materials to be used to encrypt and decrypt data. * @param cryptoConfig * The crypto configuration whose parameters will be used to encrypt and decrypt data. * @deprecated use {@link AmazonS3EncryptionClientBuilder#withEncryptionMaterials(EncryptionMaterialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCredentials(AWSCredentialsProvider)} and * {@link AmazonS3EncryptionClientBuilder#withCryptoConfiguration(CryptoConfiguration)} */ @Deprecated public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) { this(credentials, encryptionMaterialsProvider, configFactory.getConfig(), cryptoConfig); }
