New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S3 Encrypted Client #809
S3 Encrypted Client #809
Conversation
Hey Guys, Any update on this? Is this related to http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html I see that the javascript library does not yet support Client Side Encryption |
Hi @leore, This PR isn't ready to be merged in at the moment, both because the last commit had some failing tests and because it doesn't seem possible to use it in a browser. I see that files over one megabyte are decrypted into a temp file, and I'm not sure what the performance characteristics of doing that through filesystem-browserify would be. |
What is the best way to do client side encryption through node? |
+1 Very much need this to decrypt data uploaded from a java client using symmetric client side encryption in my nodejs server. Only option I see right now is trying to reverse engineer whatever was done in Java. |
message: msg | ||
}); | ||
} | ||
break; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would be great to support buffers as key
+1 This is a critical feature needed. If Amazon wanted to allow easy adoption they should have a technical solution, either blog on how to accomplish decrypting or include in sdk. I'm using this PR and it is working perfectly. Thanks for making this available. |
Thanks @andylibrian for pointing out that the decryption may fail sometimes on the According to the documentation:
As suggested, I've wrapped it with a try catch to silent the error (temporarily). If anyone has a more proper solution, feel free to contribute. |
Alternatively, if you have 'being able to do ranged GET' among your requirements, stream-cipher can be used for client side encription (node.js). |
Thanks for getting the conversation started. We have been investigating a separate encryption client where this functionality would better live. |
Oh, I think I did more than just start the conversation, if you were willing to give me credit ;) |
The code contributed as a pull request in 2015 is now available as a separate module: |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread. |
This request is a direct follow-up to the issue #800 , raised a few days ago.
As previously mentioned, I used the Ruby lib as a basis to reconstruct the logic for the JavaScript lib. Certain liberties were taken, some related with the JavaScript syntax and some with the existing conventions of the AWS SDK; the linting script was responsible for a few tweaks as well.
Please note, the new code relates with the ability to automatically encrypt/decrypt S3 objects from the client-side. It is not currently addressing SSE (Server-side Encryption), which I'm not sure if it's under the
AWS.S3
domain.At the current state my main objective, to read KMS encrypted SES messages is fulfilled. This can be easily done like this:
I'm also satisfied that the logic is laid out so it can grow. Additional abilities are in place, but not fully tested:
putObject
KMSKeyId
andEncryptionKey
.KMSKeyId
, with the ``EncryptionKey` automatically generated.kms_client
, passed with the options ofAWS.S3.Encryption.Client
.getObject
KMSKeyId
andEncryptionKey
.KMSKeyId
, with the ``EncryptionKey` resourced from the file headers (as 'x-amz-key-v2').kms_client
, passed with the options ofAWS.S3.Encryption.Client
.There is also scaffolding for allowing an instruction file, which will contain the encryption context of an encrypted file, but that functionality is at present disabled.
Some of these features I didn't want to complete by introducing my own conventions. For example, arbitrary including the
x-amz-key-v2
key in the putObject response (to allow the user to save that info).In addition, I tried to incorporate the unit tests from the Ruby lib, although they are failing, mostly because the stub requests for the KMS and S3 services aren't setup properly. I'm sure this can be easily amended by someone more familiar with the inner workings of the API/SDK.
I understand that further adjustments may be required before this code can be integrated to the main lib. That's why I'm committing it as a separate branch. Frankly, I feel it is a significant component that shouldn't be addressed by just one contributor anyway.
On a positive note, everything is contained under the
AWS.S3.Encryption
namespace and should not interfere with any of the existing functionality. I can use my branch to decrypt SES messages and there's an open invitation for anyone that wants to work on the other features.Let me know if you have any questions.