Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)
AWS Documentation » Amazon Simple Storage Service (S3) » Developer Guide » Data Protection » Using Data Encryption » Using Client-Side Encryption » Specifying Client-Side Encryption Using the AWS SDK for Java
Print this pageEmail this pageGo to the ForumsView the PDFShare this page on TwitterShare this page on FacebookBookmark this page on DeliciousSubmit this page to RedditSubmit this page to DiggDid this page help you?  Yes  No   Tell us about it...

Specifying Client-Side Encryption Using the AWS SDK for Java

To encrypt and decrypt objects client-side for upload to Amazon S3, you can use the AmazonS3EncryptionClient class in the AWS SDK for Java. This class provides similar functionality as the non-encrypted AmazonS3Client class so upgrading existing code to use the encryption client is straightforward.

The AmazonS3EncryptionClient class requires that you initialize it with an EncryptionMaterials instance which describes your encryption keys (either asymmetric or symmetric) to use.

[Note]Note

If you get a cipher encryption error message when you use the encryption API for the first time, then your version of the JDK may have a Java Cryptography Extension (JCE) jurisdiction policy file that limits the maximum key length for encryption and decryption transformations to 128 bits. The AWS SDK requires a maximum key length of 256 bits. To check your maximum key length, use the getMaxAllowedKeyLength method of the javax.crypto.Cipher class. To remove the key length restriction, install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files at the Java SE download page.

Uploading and Retrieving a Client-Side Encrypted Object

1

Construct a new AWSCredentials object by providing your security credentials.

2Construct a new EncryptionMaterials object by providing asymmetric key pair.
3Use the AWSCredentials object and the EncryptionMaterials object to create a new AmazonS3EncryptionClient instance.
4Upload the object using the putObject method and retrieve the object using the getObject method. The client performs the necessary encryption and decryption.

The following Java code sample demonstrates the preceding tasks.

// Specify the asymmetric key pair to use.
KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA");
keyGenerator.initialize(1024, new SecureRandom());
KeyPair myKeyPair = keyGenerator.generateKeyPair();

// Construct an instance of AmazonS3EncryptionClient.
AWSCredentials credentials = new BasicAWSCredentials(myAccessKeyId, mySecretKey);
EncryptionMaterials encryptionMaterials = new EncryptionMaterials(myKeyPair);
AmazonS3EncryptionClient encryptedS3client = 
    new AmazonS3EncryptionClient(credentials, encryptionMaterials);

// Upload the object.
encryptedS3client.putObject(new PutObjectRequest(bucketName, key, createSampleFile()));
 
// Retrieve the object.
S3Object downloadedObject = encryptedS3client.getObject(bucketName, key);

Example

The following Java code example creates an asymmetric key pair and uses the key pair to upload an encrypted sample file to Amazon S3 and then retrieves the encrypted sample file. You must update the following sample and provide the correct credential information and bucket name.

[Note]Note

For demonstration, the following example creates an asymmetric key that is used for the duration the program execution. However, in a real world application, you should already have a key to provide to the client.

import java.io.*;
import java.security.*;
import java.security.spec.*;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.s3.AmazonS3EncryptionClient;
import com.amazonaws.services.s3.model.EncryptionMaterials;
import com.amazonaws.services.s3.model.PutObjectRequest;
import com.amazonaws.services.s3.model.S3Object;

public class S3ClientSideEncryptionTest {
    public static void main(String[] args) 
    throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
    	
        String myAccessKeyId = "***Provide Access Key ID***";
        String mySecretKey = "***Provide Secret Key***";
        String bucketName = "***Provide bucket name***";
        String key = "test.txt";
        String encryptionAlgorithm = "RSA";
        
        KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance(encryptionAlgorithm);
		keyGenerator.initialize(1024, new SecureRandom());
		KeyPair myKeyPair = keyGenerator.generateKeyPair();
        
        // Construct an instance of AmazonS3EncryptionClient.
        AWSCredentials credentials = new BasicAWSCredentials(myAccessKeyId, mySecretKey);
        EncryptionMaterials encryptionMaterials = new EncryptionMaterials(myKeyPair);
        AmazonS3EncryptionClient encryptedS3client = 
                            new AmazonS3EncryptionClient(credentials, encryptionMaterials);

        // Encrypt and upload a sample file to Amazon S3.
        encryptedS3client.putObject(new PutObjectRequest(bucketName, key, createSampleFile()));

        // Retrieve the file from Amazon S3 and decrypt.
        S3Object downloadedObject = encryptedS3client.getObject(bucketName, key);
    }

    private static File createSampleFile() throws IOException {
        File file = File.createTempFile("encryptiontest", ".txt");
        file.deleteOnExit();

        Writer writer = new OutputStreamWriter(new FileOutputStream(file));
        writer.write(new java.util.Date().toString()+"\n");
        writer.write("abcdefghijklmnopqrstuvwxyz\n");
        writer.write("01234567890112345678901234\n");
        writer.write("!@#$%^&*()-=[]{};':',.<>/?\n");
        writer.close();

        return file;
    }
}

Document Conventions
Terms of Use		Did this page help you?  Yes  No   Tell us about it...