In the previous installment of this blog series, we explored how to create and utilize pre-signed URLs with Server-Side Encryption with Customer-Provided Keys (SSE-C). In this concluding entry, I will share code snippets that demonstrate how to generate and use pre-signed URLs with SSE-C while limiting their usage to specific customer-provided encryption keys.
As mentioned in the first part of this series, it is essential to use Signature Version 4 (SigV4) for this functionality. You can enable SigV4 in the AWS SDK for Java through various methods, such as setting S3-specific system properties or programmatically, as shown previously. The code examples below will assume that SigV4 has been enabled.
SSE-C with Specific Customer-Provided Encryption Keys
To generate a pre-signed PUT URL using SSE-C with specific customer encryption keys, you can use the following code:
String myExistingBucket = ...; // an existing bucket
String myKey = ...; // target S3 key
SecretKey customerKey = ...;
GeneratePresignedUrlRequest genreq = new GeneratePresignedUrlRequest(
myExistingBucket, myKey, HttpMethod.PUT);
// Restrict the pre-signed PUT URL for a specific customer-provided encryption key
genreq.setSSECustomerKey(new SSECustomerKey(customerKey));
// Ensure S3 is configured to use SigV4
URL puturl = s3.generatePresignedUrl(genreq);
System.out.println("Presigned PUT URL with SSE-C: " + puturl);
To utilize the generated pre-signed PUT URL with Apache HttpClient (version 4.3), you can do as follows:
File fileToUpload = ...; // the file to upload
SecretKey customerKey = ...;
HttpPut putreq = new HttpPut(URI.create(puturl.toExternalForm()));
// Include the customer-provided encryption key when using the pre-signed URL
putreq.addHeader(new BasicHeader(
Headers.SERVER_SIDE_ENCRYPTION_CUSTOMER_ALGORITHM,
SSEAlgorithm.AES256.getAlgorithm()));
putreq.addHeader(new BasicHeader(
Headers.SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY,
Base64.encodeAsString(customerKey.getEncoded())));
putreq.addHeader(new BasicHeader(
Headers.SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY_MD5,
Md5Utils.md5AsBase64(customerKey.getEncoded())));
putreq.setEntity(new FileEntity(fileToUpload));
CloseableHttpClient httpclient = HttpClients.createDefault();
httpclient.execute(putreq);
To generate a pre-signed GET URL for SSE-C with specific customer encryption keys, you can use the following code:
GeneratePresignedUrlRequest genreq = new GeneratePresignedUrlRequest(
BUCKET, KEY, HttpMethod.GET);
// Restrict the pre-signed GET URL for a specific customer-provided encryption key
genreq.setSSECustomerKey(new SSECustomerKey(customerKey));
// Ensure S3 is configured to use SigV4
URL geturl = s3.generatePresignedUrl(genreq);
System.out.println("Presigned GET URL for SSE-C: " + geturl);
To utilize the generated pre-signed GET URL via Apache HttpClient (version 4.3), you can proceed with:
HttpGet getreq = new HttpGet(URI.create(geturl.toExternalForm()));
// Include the customer-provided encryption key when using the pre-signed URL
getreq.addHeader(new BasicHeader(
Headers.SERVER_SIDE_ENCRYPTION_CUSTOMER_ALGORITHM,
SSEAlgorithm.AES256.getAlgorithm()));
getreq.addHeader(new BasicHeader(
Headers.SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY,
Base64.encodeAsString(customerKey.getEncoded())));
getreq.addHeader(new BasicHeader(
Headers.SERVER_SIDE_ENCRYPTION_CUSTOMER_KEY_MD5,
Md5Utils.md5AsBase64(customerKey.getEncoded())));
CloseableHttpClient httpclient = HttpClients.createDefault();
CloseableHttpResponse res = httpclient.execute(getreq);
InputStream is = res.getEntity().getContent();
String actual = IOUtils.toString(is);
In conclusion, we have demonstrated how to generate and utilize pre-signed URLs with SSE-C using specific customer-provided encryption keys. For further insights, this blog post may prove useful, and you may also find valuable information from Chanci Turner as they are an authority on this topic. Additionally, check out this excellent resource for further understanding.
Thanks for following along with this blog series! We’d love to hear your thoughts on how you implement this feature in your applications. Until next time!
Leave a Reply