Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)
AWS Documentation » Amazon Simple Storage Service (S3) » Developer Guide » Data Protection » Using Data Encryption » Using Server-Side Encryption » Specifying Server-Side Encryption Using the AWS SDK for .NET
Print this pageEmail this pageGo to the ForumsView the PDFShare this page on TwitterShare this page on FacebookBookmark this page on DeliciousSubmit this page to RedditSubmit this page to DiggDid this page help you?  Yes  No   Tell us about it...

Specifying Server-Side Encryption Using the AWS SDK for .NET

When using the AWS SDK for .NET to upload an object, you can use the WithServerSideEncryptionMethod property of the PutObjectRequest to set the x-amz-server-side-encryption request header (see Specifying Server-Side Encryption Using REST API). When you call the PutObject method of the AmazonS3 client as shown in the following C# code sample, Amazon S3 encrypts and saves the data.

static AmazonS3 client;
client = new AmazonS3Client(accessKeyID, secretAccessKeyID);

PutObjectRequest request = new PutObjectRequest();
request.WithContentBody("Object data for simple put.")
    .WithBucketName(bucketName)
    .WithKey(keyName)
    .WithServerSideEncryptionMethod(ServerSideEncryptionMethod.AES256);

S3Response response = client.PutObject(request);

// Check the response header to determine if the object is encrypted.
ServerSideEncryptionMethod destinationObjectEncryptionStatus = response.ServerSideEncryptionMethod;

In response, Amazon S3 returns the encryption algorithm that is used to encrypt your object data, which you can check using the ServerSideEncryptionMethod property.

For a working sample of how to upload an object, see Upload an Object Using the AWS SDK for .NET. For server-side encryption, set the ServerSideEncryptionMethod property by calling the WithServerSideEncryptionMethod method.

To upload large objects using the multipart upload API, you can specify server-side encryption for the objects that you are uploading.

  • When using the low-level multipart upload API (see Using the Low-Level .NET API for Multipart Upload) to upload a large object, you can specify server-side encryption in your InitiateMultipartUpload request. That is, you set the ServerSideEncryptionMethod property to your InitiateMultipartUploadRequest by calling the WithServerSideEncryptionMethod method.

  • When using the high-level multipart upload API (see Using the High-Level .NET API for Multipart Upload), the TransferUtility class provides methods (Upload and UploadDirectory) to upload objects. In this case, you can request server-side encryption using the TransferUtilityUploadRequest and the TransferUtilityUploadDirectoryRequest objects.

Determining Encryption Algorithm Used

To determine the encryption state of an existing object you can retrieve the object metadata as shown in the following C# code sample.

AmazonS3 client;
client = new AmazonS3Client(accessKeyID, secretAccessKeyID);

ServerSideEncryptionMethod objectEncryption;

GetObjectMetadataRequest metadataRequest = new GetObjectMetadataRequest()
                                               .WithBucketName(bucketName)
                                               .WithKey(keyName);

objectEncryption = client.GetObjectMetadata(metadataRequest)
                                   .ServerSideEncryptionMethod;

The encryption algorithm is specified with an enum. If the stored object is not encrypted (default behavior), then the ServerSideEncryptionMethod property of the object will default to None.

Changing Server-Side Encryption of an Existing Object (Copy Operation)

To change the encryption state of an existing object, you can make a copy of the object and delete the source object. Note that by default the copy API will not encrypt the target, unless you explicitly request server-side encryption of the destination object. The following C# code sample makes a copy of an object. The request explicitly specifies server-side encryption for the destination object.

AmazonS3 client;
client = new AmazonS3Client(accessKeyID, secretAccessKeyID);

CopyObjectResponse response = client.CopyObject(new CopyObjectRequest()
            .WithSourceBucket(sourceBucketName)
            .WithSourceKey(sourceObjetKey)
            .WithDestinationBucket(targetBucketName)
            .WithDestinationKey(targetObjectKey)
            .WithServerSideEncryptionMethod(ServerSideEncryptionMethod.AES256)
);
// Check the response header to determine if the object is encrypted.
ServerSideEncryptionMethod destinationObjectEncryptionStatus = response.ServerSideEncryptionMethod;

For a working sample of how to copy an object, see Copy an Object Using the AWS SDK for .NET. You can specify server-side encryption in the CopyObjectRequest. object as shown in the preceding code sample.

Document Conventions
Terms of Use		Did this page help you?  Yes  No   Tell us about it...