在python中为boto3文件加密创建SSECustomerKey的正确方法是什么? [英] What is the right way to create a SSECustomerKey for boto3 file encryption in python?

问题描述

我在 django 应用程序中使用 boto3 将媒体上传到 S3.但是我在使用使用客户提供的加密密钥的服务器端加密"对服务器上的文件进行加密时遇到问题

I am using boto3 with my django application to upload media to S3. But I am having trouble encrypting the files on server using "Server Side Encryption using Customer Provided Encryption Keys"

我正在使用 boto3 的 object.put() api 上传文件并指定加密密钥.但我收到以下错误.

I'm using boto3's object.put() api to upload files and specify the encryption keys. But I am getting the following error.

"计算出的密钥的 MD5 哈希值与之前的哈希值不匹配提供."

"The calculated MD5 hash of the key did not match the hash that was provided."

我不确定如何创建将在服务器端匹配的密钥的 md5.这是我的代码.

I am not sure on how to create the md5 of the key that will match on the server side. here is my code.

password = "32characterslongpassphraseneeded".encode('utf-8')
encryption_key = hashlib.md5(password).hexdigest()
encryption_key_md5 = hashlib.md5(encryption_key.encode('utf-8')).hexdigest()
import boto3
s3 = boto3.resource('s3')
key = s3.Object(bucket_name, key_name)
kwargs = {
            'SSECustomerAlgorithm': 'AES256',
            'SSECustomerKey': encryption_key,
            'SSECustomerKeyMD5': encryption_key_md5,
            'ContentType': file_obj.content_type,
            'Body': file_obj,
        }

key.put(**kwargs)

我正在通过 php 客户端使用相同的 s3 api，它工作正常.

I am utilizing the same s3 api through a php client and it works fine.

$name="somename"
$customerKey = md5($name);
                    $s3->putObject([
                        'Bucket' => S3_BUCKET,
                        'Key'    => "scope/{$name}",
                        'Body'   => fopen($tmp_file_path, 'rb'),
                        'ACL'    => S3_ACL,
                        'SSECustomerAlgorithm' => 'AES256',
                        'SSECustomerKey'       => $customerKey,
                        'SSECustomerKeyMD5'    => md5($customerKey ,true),
                    ]);

我在这里看到的唯一区别是 php 的 md5 方法可以采用第二个参数，如果为真，则返回 16 个字符长的摘要，与正常的 32 个字符长摘要相比.现在我不知道如何使用 hashlib.md5 创建一个 16 个字符长的摘要.

The only difference I see here is that php's md5 method can take second argument which, if true, returns and 16 character long digest as compared to normal 32 character long digest. Now I don't know how to create a 16 character long digest using hashlib.md5.

推荐答案

正确的做法是使用os.urandom

import os
secret_key = os.urandom(32) # The key needs to be 32 character long.

并且不需要提供 SSECustomerKeyMD5 因为 boto3 会为您计算.

and one doesn't need to provide SSECustomerKeyMD5 as boto3 calculates it for you.

而且 SSE-C 在 key.put 中也不能正常工作，至于现在，我不知道是什么原因.必须这样做.

and also SSE-C doesn't work right in key.put, as for now, I don't know for what reasons. One has to do it this way.

s3 = boto3.client('s3')
s3.put_object(**kwargs)

这篇关于在python中为boto3文件加密创建SSECustomerKey的正确方法是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！