search

aws / aws-sdk-java

The official AWS SDK for Java 1.x (In Maintenance Mode, End-of-Life on 12/31/2025). The AWS SDK for Java 2.x is available here: https://github.com/aws/aws-sdk-java-v2/
https://aws.amazon.com/sdkforjava
Apache License 2.0
4.13k stars 2.83k forks source link

Allow the SDK AmazonS3EncryptionV2 to accept a customized AAD #3051

Closed sfc-gh-schen closed 11 months ago

sfc-gh-schen commented 1 year ago

Describe the feature

Hi, as the title stats, it looks like the AmazonS3EncryptionV2/AmazonS3EncryptionClientV2Builder does not allow a customized AAD for AES-GCM client-side encryption. Is there any way to support it? If not supported, why it is not supported? The SDK uses an empty string as AAD for data encryption in the case of AES-GCM, see here, the SDK should allow users to pass in a customized AAD.

If the AmazonS3EncryptionV2/AmazonS3EncryptionClientV2Builder does not allow customized AAD, does the separate library Encryption SDK support it? At least I didn't find a way.

Use Case

Use AES-GCM encryption algo to encrypt data using my own provided AAD.

Proposed Solution

No response

Other Information

No response

Acknowledgements

AWS Java SDK version used

aws-hava-sdj-s3-1.12.390

JDK version used

openjdk 11.0.11

Operating System and version

does not matter

debora-ito commented 1 year ago

Hi @sfc-gh-schen I found some documentation that shows that the standalone aws-encryption-sdk supports providing an AAD value but only if you're building your own encryption library that is compatible with the AWS Encryption SDK - https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html

When you use the aws-encryption-sdk library with its default configuration, it doesn't support a custom AAD.

A disclaimer: I'm no expert in Encryption methods, so I may be misunderstanding your ask.

aws-encryption-sdk is a separate library from SDK, and it's different from the AmazonS3EncryptionV2. We don't have plans to add new features to AmazonS3EncryptionV2.

debora-ito commented 12 months ago

Marking this to auto-close soon. Let us know if you have any other question.

sfc-gh-schen commented 11 months ago

Hi @sfc-gh-schen I found some documentation that shows that the standalone aws-encryption-sdk supports providing an AAD value but only if you're building your own encryption library that is compatible with the AWS Encryption SDK - https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html

When you use the aws-encryption-sdk library with its default configuration, it doesn't support a custom AAD.

A disclaimer: I'm no expert in Encryption methods, so I may be misunderstanding your ask.

aws-encryption-sdk is a separate library from SDK, and it's different from the AmazonS3EncryptionV2. We don't have plans to add new features to AmazonS3EncryptionV2.

Hey @debora-ito Thanks for the pointer. Do you know if I have to use AWS KMS service if I switch to aws-encryption-sdk?, it looks like the code example need to construct an AwsKMSClient.

debora-ito commented 11 months ago

AWS KMS is optional, according to the AWS Encryption SDK documentation - https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/java.html#java-prerequisites

If you have further questions about aws-encryption-sdk, I recommend you open a new github issue in their dedicated repo: https://github.com/aws/aws-encryption-sdk-java/