NET S3无法获得客户端加密 [英] Not getting Client side encryption with .net S3

问题描述

我已经开始使用来自AWS的sdk for S3，并且所有内容都表明我应该为上传内容获取客户端加密，但是当我使用S3浏览器对其进行检查时，它仅显示服务器端加密，这是怎么做的?

I have started using the sdk from AWS for S3 and everything says I should be getting client side encryption for the uploads, but when I check it with S3 browser it only shows server side encryption, what am I doing wrong?

我正在使用Amazon的加密密钥服务，并且用户具有使用这些密钥进行加密的完整权限.

I am using amazon's encryption key service and the user has full rights to encrypt using those keys.

谢谢！

static string bucketName = "mybucket";
static EncryptionMaterials encryptionMaterials = new EncryptionMaterials(RSA.Create());
static AmazonS3EncryptionClient client = new AmazonS3EncryptionClient(Amazon.RegionEndpoint.USWest2, encryptionMaterials);

static void Main(string[] args)
{
     using (client)
     {
         try
         {
             PutObjectRequest putRequest1 = new PutObjectRequest
             {
                 BucketName = bucketName,
                 FilePath = @"C:\abc\def.pdf",
                 Key = "def.pdf",
                 ServerSideEncryptionMethod = ServerSideEncryptionMethod.AWSKMS
             };
             client.PutObject(putRequest1);

推荐答案

几个月前，我遇到了同样的问题，但是通过引入SymmetricAlgorithm和ICryptoTransform实现来支持KMS来解决了这个问题.它们使用KMS服务和指定的CMK透明地加密和解密信封密钥.

I had the same problem several months ago but this was solved by introducing SymmetricAlgorithm and ICryptoTransform implementations to support KMS. These transparently encrypt and decrypt the envelope key using the KMS service and the specified CMK.

public class KMSAlgorithm : SymmetricAlgorithm
{
    private IAmazonKeyManagementService _client;
    private string _keyId;

    public KMSAlgorithm(IAmazonKeyManagementService client)
    {
        this._client = client;
    }

    public KMSAlgorithm(IAmazonKeyManagementService client, string keyId)
        : this(client)
    {
        this._keyId = keyId;
    }

    public override ICryptoTransform CreateDecryptor()
    {
        return new KMSCryptoTransform.Decryptor(_client);
    }

    public override ICryptoTransform CreateDecryptor(byte[] rgbKey, byte[] rgbIV)
    {
        throw new NotImplementedException();
    }

    public override ICryptoTransform CreateEncryptor()
    {
        return new KMSCryptoTransform.Encryptor(_client, _keyId);
    }

    public override ICryptoTransform CreateEncryptor(byte[] rgbKey, byte[] rgbIV)
    {
        throw new NotImplementedException();
    }

    public override void GenerateIV()
    {
        throw new NotImplementedException();
    }

    public override void GenerateKey()
    {
        throw new NotImplementedException();
    }
}

public abstract class KMSCryptoTransform : ICryptoTransform
{
    protected IAmazonKeyManagementService _client;
    protected string _keyId;

    public KMSCryptoTransform(IAmazonKeyManagementService client)
    {
        this._client = client;
    }

    public KMSCryptoTransform(IAmazonKeyManagementService client, string keyId)
        : this(client)
    {
        this._keyId = keyId;
    }

    public bool CanReuseTransform
    {
        get { return true; }
    }

    public bool CanTransformMultipleBlocks
    {
        get { return false; }
    }

    public int InputBlockSize
    {
        get { throw new NotImplementedException(); }
    }

    public int OutputBlockSize
    {
        get { throw new NotImplementedException(); }
    }

    public int TransformBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset)
    {
        throw new NotImplementedException();
    }

    public abstract byte[] TransformFinalBlock(byte[] inputBuffer, int inputOffset, int inputCount);

    public void Dispose()
    {

    }

    public class Decryptor : KMSCryptoTransform
    {
        public Decryptor(IAmazonKeyManagementService client)
            : base(client) { }

        public override byte[] TransformFinalBlock(byte[] inputBuffer, int inputOffset, int inputCount)
        {
            return _client.Decrypt(new DecryptRequest()
            {
                CiphertextBlob = new MemoryStream(inputBuffer, inputOffset, inputCount))
            }).Plaintext.ToArray();
        }
    }

    public class Encryptor : KMSCryptoTransform
    {
        public Encryptor(IAmazonKeyManagementService client, string keyId)
            : base(client, keyId) { }

        public override byte[] TransformFinalBlock(byte[] inputBuffer, int inputOffset, int inputCount)
        {
            return _client.Encrypt(new EncryptRequest()
            {
                KeyId = _keyId,
                Plaintext = MemoryStream(inputBuffer, inputOffset, inputCount))
            }).CiphertextBlob.ToArray();
        }
    }
}

此KMSAlgorithm代替了EncryptionMaterials构造函数中的Aes.Create()来使用，该构造函数又像这样在AmazonS3EncryptionClient构造函数中使用.

This KMSAlgorithm was used this in place of Aes.Create() in the EncryptionMaterials constructor which was in turn used in the AmazonS3EncryptionClient constructor like so.

var client = AWSClientFactory.CreateAmazonKeyManagementServiceClient();
using (var algorithm = new KMSAlgorithm(client, "CustomerMasterKeyIdOrAlias"))
{
    var materials = new EncryptionMaterials(algorithm);
    var s3client = new AmazonS3EncryptionClient(materials);

    s3client.PutObject(new PutObjectRequest()
    {
        BucketName = "YourBucketName",
        Key = "YourKeyName",
        InputStream = new MemoryStream(Encoding.Default.GetBytes("Secret Message")),
    });
}

using (var algorithm = new KMSAlgorithm(client))
{
    var materials = new EncryptionMaterials(algorithm);
    var s3client = new AmazonS3EncryptionClient(materials);

    var obj = s3client.GetObject(new GetObjectRequest()
    {
        BucketName = "YourBucketName",
        Key = "YourKeyName"
    });
}

请注意，不必显式指定CMK ID或别名即可解密信封密钥，而仅需加密信封密钥即可.

Notice that the CMK id or alias doesn't have to be explicitly specified to decrypt the envelope key only to encrypt the envelope key.

此答案也发布在 Amazon Web服务开发人员论坛.

这篇关于NET S3无法获得客户端加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！