* The encryption materials specified in the constructor will be used to * protect the CEK which is then stored along side with the S3 object. * * @deprecated Client-side encryption is deprecated. Please use one of * the following: * * a) For uploads, you can encrypt the file locally using an * algorithm of your choice and use the TransferUtility API to upload the * encrypted file to S3. For downloads, you can use the TransferUtility API to * download the file and then decrypt it using the algorithm that you used to * upload the file. * * b) ServerSideEncryption: There are multiple options available for * ServerSide Encryption. You can setup encryption at the S3 bucket level * using the AWS S3 console. When encryption is setup at the bucket level, * all objects in the bucket are encrypted. You can also use the AWS console * to encrypt individual objects after they have been uploaded. Another option * is to request ServerSide encryption for the object being uploaded * using the SDK. */ @Deprecated public class AmazonS3EncryptionClient extends AmazonS3Client implements AmazonS3Encryption { public static final String USER_AGENT = AmazonS3EncryptionClient.class.getName() + "/" + VersionInfoUtils.getVersion(); private final S3CryptoModule crypto; private final AWSKMSClient kms; /** * True if the a default KMS client is constructed, which will be shut down * when this instance of S3 encryption client is shutdown. False otherwise, * which means the users who provided the KMS client would be responsible * to shut down the KMS client. */ private final boolean isKMSClientInternal; // ///////////////////// Constructors //////////////// /** *
* Constructs a new Amazon S3 Encryption client that will make * anonymous requests to Amazon S3. If * {@link #getObject(String, String)} is called, the object contents will be * decrypted with the encryption materials provided. *
** Only a subset of the Amazon S3 API will work with anonymous (i.e. * unsigned) requests, but this can prove useful in some situations. For * example: *
* Constructs a new Amazon S3 Encryption client that will make * anonymous requests to Amazon S3. If * {@link #getObject(String, String)} is called, the object contents will be * decrypted with the encryption materials provided. *
** Only a subset of the Amazon S3 API will work with anonymous (i.e. * unsigned) requests, but this can prove useful in some situations. For * example: *
* Constructs a new Amazon S3 Encryption client that will make * anonymous requests to Amazon S3. If * {@link #getObject(String, String)} is called, the object contents will be * decrypted with the encryption materials provided. The encryption * implementation of the provided crypto provider will be used to encrypt * and decrypt data. *
** Only a subset of the Amazon S3 API will work with anonymous (i.e. * unsigned) requests, but this can prove useful in some situations. For * example: *
* Constructs a new Amazon S3 Encryption client that will make * anonymous requests to Amazon S3. If * {@link #getObject(String, String)} is called, the object contents will be * decrypted with the encryption materials provided. The encryption * implementation of the provided crypto provider will be used to encrypt * and decrypt data. *
** Only a subset of the Amazon S3 API will work with anonymous (i.e. * unsigned) requests, but this can prove useful in some situations. For * example: *
* Constructs a new Amazon S3 Encryption client using the specified AWS * credentials to access Amazon S3. Object contents will be encrypted and * decrypted with the encryption materials provided. *
* * @param credentials The AWS credentials to use when making requests to * Amazon S3 with this client. * @param encryptionMaterials The encryption materials to be used to encrypt * and decrypt data. */ public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterials encryptionMaterials) { this(credentials, new StaticEncryptionMaterialsProvider( encryptionMaterials)); } /** ** Constructs a new Amazon S3 Encryption client using the specified AWS * credentials to access Amazon S3. Object contents will be encrypted and * decrypted with the encryption materials provided. *
* * @param credentials The AWS credentials to use when making requests to * Amazon S3 with this client. * @param encryptionMaterialsProvider A provider for the encryption * materials to be used to encrypt and decrypt data. */ public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider) { this(credentials, encryptionMaterialsProvider, new ClientConfiguration(), new CryptoConfiguration()); } /** ** Constructs a new Amazon S3 Encryption client using the specified AWS * credentials to access Amazon S3. Object contents will be encrypted and * decrypted with the encryption materials provided. *
* * @param credentialsProvider The AWS credentials provider which will * provide credentials to authenticate requests with AWS * services. * @param encryptionMaterialsProvider A provider for the encryption * materials to be used to encrypt and decrypt data. */ public AmazonS3EncryptionClient( AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider) { this(credentialsProvider, encryptionMaterialsProvider, new ClientConfiguration(), new CryptoConfiguration()); } /** ** Constructs a new Amazon S3 Encryption client using the specified AWS * credentials to access Amazon S3. Object contents will be encrypted and * decrypted with the encryption materials provided. The encryption * implementation of the provided crypto provider will be used to encrypt * and decrypt data. *
* * @param credentials The AWS credentials to use when making requests to * Amazon S3 with this client. * @param encryptionMaterials The encryption materials to be used to encrypt * and decrypt data. * @param cryptoConfig The crypto configuration whose parameters will be * used to encrypt and decrypt data. */ public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterials encryptionMaterials, CryptoConfiguration cryptoConfig) { this(credentials, new StaticEncryptionMaterialsProvider( encryptionMaterials), cryptoConfig); } /** ** Constructs a new Amazon S3 Encryption client using the specified AWS * credentials to access Amazon S3. Object contents will be encrypted and * decrypted with the encryption materials provided. The encryption * implementation of the provided crypto provider will be used to encrypt * and decrypt data. *
* * @param credentials The AWS credentials to use when making requests to * Amazon S3 with this client. * @param encryptionMaterialsProvider A provider for the encryption * materials to be used to encrypt and decrypt data. * @param cryptoConfig The crypto configuration whose parameters will be * used to encrypt and decrypt data. */ public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) { this(credentials, encryptionMaterialsProvider, new ClientConfiguration(), cryptoConfig); } /** ** Constructs a new Amazon S3 Encryption client using the specified AWS * credentials to access Amazon S3. Object contents will be encrypted and * decrypted with the encryption materials provided. The encryption * implementation of the provided crypto provider will be used to encrypt * and decrypt data. *
* * @param credentialsProvider The AWS credentials provider which will * provide credentials to authenticate requests with AWS * services. * @param encryptionMaterialsProvider A provider for the encryption * materials to be used to encrypt and decrypt data. * @param cryptoConfig The crypto configuration whose parameters will be * used to encrypt and decrypt data. */ public AmazonS3EncryptionClient( AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) { this(credentialsProvider, encryptionMaterialsProvider, new ClientConfiguration(), cryptoConfig); } /** ** Constructs a new Amazon S3 Encryption client using the specified AWS * credentials and client configuration to access Amazon S3. Object contents * will be encrypted and decrypted with the encryption materials provided. * The crypto provider and storage mode denoted in the specified crypto * configuration will be used to encrypt and decrypt data. *
* * @param credentials The AWS credentials to use when making requests to * Amazon S3 with this client. * @param encryptionMaterials The encryption materials to be used to encrypt * and decrypt data. * @param clientConfiguration The client configuration options controlling * how this client connects to Amazon S3 (ex: proxy settings, * retry counts, etc). * @param cryptoConfig The crypto configuration whose parameters will be * used to encrypt and decrypt data. * @throws IllegalArgumentException If either of the encryption materials or * crypto configuration parameters are null. */ public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterials encryptionMaterials, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig) { this(credentials, new StaticEncryptionMaterialsProvider( encryptionMaterials), clientConfig, cryptoConfig); } public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig) { this(new StaticCredentialsProvider(credentials), encryptionMaterialsProvider, clientConfig, cryptoConfig); } public AmazonS3EncryptionClient( AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig) { this(credentialsProvider, kekMaterialsProvider, clientConfig, cryptoConfig, null // request metric collector ); } public AmazonS3EncryptionClient( AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig, RequestMetricCollector requestMetricCollector) { this(null, // KMS client credentialsProvider, kekMaterialsProvider, clientConfig, cryptoConfig, requestMetricCollector); } public AmazonS3EncryptionClient(AWSKMSClient kms, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig, RequestMetricCollector requestMetricCollector) { super(credentialsProvider, clientConfig, requestMetricCollector); assertParameterNotNull(kekMaterialsProvider, "EncryptionMaterialsProvider parameter must not be null."); assertParameterNotNull(cryptoConfig, "CryptoConfiguration parameter must not be null."); this.isKMSClientInternal = kms == null; this.kms = isKMSClientInternal ? newAWSKMSClient(credentialsProvider, clientConfig, cryptoConfig, requestMetricCollector) : kms; this.crypto = new CryptoModuleDispatcher(this.kms, new S3DirectImpl(), credentialsProvider, kekMaterialsProvider, cryptoConfig); } /** * Creates and returns a new instance of AWS KMS client in the case when * an explicit AWS KMS client is not specified. */ private AWSKMSClient newAWSKMSClient( AWSCredentialsProvider credentialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig, RequestMetricCollector requestMetricCollector ) { final AWSKMSClient kmsClient = new AWSKMSClient( credentialsProvider, clientConfig, requestMetricCollector); final Region kmsRegion = cryptoConfig.getAwsKmsRegion(); if (kmsRegion != null) kmsClient.setRegion(kmsRegion); return kmsClient; } private void assertParameterNotNull(Object parameterValue, String errorMessage) { if (parameterValue == null) { throw new IllegalArgumentException(errorMessage); } } /** * {@inheritDoc} ** Use {@link EncryptedPutObjectRequest} to specify materialsDescription for * the EncryptionMaterials to be used for this * request.AmazonS3EncryptionClient would use * {@link EncryptionMaterialsProvider#getEncryptionMaterials(java.util.Map)} * to retrieve encryption materials corresponding to the * materialsDescription specified in the current request. *
*/ @Override public PutObjectResult putObject(PutObjectRequest req) { return crypto.putObjectSecurely(req.clone()); } @Override public S3Object getObject(GetObjectRequest req) { return crypto.getObjectSecurely(req); } @Override public ObjectMetadata getObject(GetObjectRequest req, File dest) { return crypto.getObjectSecurely(req, dest); } @Override public void deleteObject(DeleteObjectRequest req) { req.getRequestClientOptions().appendUserAgent(USER_AGENT); // Delete the object super.deleteObject(req); // If it exists, delete the instruction file. InstructionFileId ifid = new S3ObjectId(req.getBucketName(), req.getKey()).instructionFileId(); DeleteObjectRequest instructionDeleteRequest = (DeleteObjectRequest) req.clone(); instructionDeleteRequest.withBucketName(ifid.getBucket()).withKey(ifid.getKey()); super.deleteObject(instructionDeleteRequest); } @Override public CompleteMultipartUploadResult completeMultipartUpload( CompleteMultipartUploadRequest req) { return crypto.completeMultipartUploadSecurely(req); } /** * {@inheritDoc} ** Use {@link EncryptedInitiateMultipartUploadRequest} to specify * materialsDescription for the EncryptionMaterials to be used for this * request. AmazonS3EncryptionClient would use * {@link EncryptionMaterialsProvider#getEncryptionMaterials(java.util.Map)} * to retrieve encryption materials corresponding to the * materialsDescription specified in the current request. *
*/ @Override public InitiateMultipartUploadResult initiateMultipartUpload( InitiateMultipartUploadRequest req) { boolean isCreateEncryptionMaterial = true; if (req instanceof EncryptedInitiateMultipartUploadRequest) { EncryptedInitiateMultipartUploadRequest cryptoReq = (EncryptedInitiateMultipartUploadRequest) req; isCreateEncryptionMaterial = cryptoReq.isCreateEncryptionMaterial(); } return isCreateEncryptionMaterial ? crypto.initiateMultipartUploadSecurely(req) : super.initiateMultipartUpload(req) ; } /** * {@inheritDoc} ** NOTE: Because the encryption process requires context from block * N-1 in order to encrypt block N, parts uploaded with the * AmazonS3EncryptionClient (as opposed to the normal AmazonS3Client) must * be uploaded serially, and in order. Otherwise, the previous encryption * context isn't available to use when encrypting the current part. */ @Override public UploadPartResult uploadPart(UploadPartRequest uploadPartRequest) throws AmazonClientException, AmazonServiceException { return crypto.uploadPartSecurely(uploadPartRequest); } @Override public CopyPartResult copyPart(CopyPartRequest copyPartRequest) { return crypto.copyPartSecurely(copyPartRequest); } @Override public void abortMultipartUpload(AbortMultipartUploadRequest req) { crypto.abortMultipartUploadSecurely(req); } /** * Creates a new crypto instruction file by re-encrypting the CEK of an * existing encrypted S3 object with a new encryption material identifiable * via a new set of material description. *
* User of this method is responsible for explicitly deleting/updating the * instruction file so created should the corresponding S3 object is * deleted/created. * * @return the result of the put (instruction file) operation. */ public PutObjectResult putInstructionFile(PutInstructionFileRequest req) { return crypto.putInstructionFileSecurely(req); } /** * {@inheritDoc} *
* If the a default internal KMS client has been constructed, it will also be * shut down by calling this method. * Otherwise, users who provided the KMS client would be responsible to * shut down the KMS client extrinsic to this method. */ @Override public void shutdown() { super.shutdown(); if (isKMSClientInternal) kms.shutdown(); } // /////////////////// Access to the methods in the super class ////////// /** * An internal implementation used to provide limited but direct access to * the underlying methods of AmazonS3Client without any encryption or * decryption operations. */ private final class S3DirectImpl extends S3Direct { @Override public PutObjectResult putObject(PutObjectRequest req) { return AmazonS3EncryptionClient.super.putObject(req); } @Override public S3Object getObject(GetObjectRequest req) { return AmazonS3EncryptionClient.super.getObject(req); } @Override public ObjectMetadata getObject(GetObjectRequest req, File dest) { return AmazonS3EncryptionClient.super.getObject(req, dest); } @Override public CompleteMultipartUploadResult completeMultipartUpload( CompleteMultipartUploadRequest req) { return AmazonS3EncryptionClient.super.completeMultipartUpload(req); } @Override public InitiateMultipartUploadResult initiateMultipartUpload( InitiateMultipartUploadRequest req) { return AmazonS3EncryptionClient.super.initiateMultipartUpload(req); } @Override public UploadPartResult uploadPart(UploadPartRequest req) throws AmazonClientException, AmazonServiceException { return AmazonS3EncryptionClient.super.uploadPart(req); } @Override public CopyPartResult copyPart(CopyPartRequest req) { return AmazonS3EncryptionClient.super.copyPart(req); } @Override public void abortMultipartUpload(AbortMultipartUploadRequest req) { AmazonS3EncryptionClient.super.abortMultipartUpload(req); } } /** * Used to encrypt data first to disk with pipelined concurrent multi-part * uploads to S3. This method enables significant speed-up of encrypting and * uploading large payloads to Amazon S3 via pipelining and parallel uploads * by consuming temporary disk space. *
* There are many ways you can customize the behavior of this method, * including *
* A request is handled with the following life cycle, calling the necessary * Service Provider Interface: *
UploadObjectObserverUploadObjectObserverMultiFileOutputStream