client side encryption

[vlajos]

Hi,

Has S3 client side encryption been implemented in this library? Or is there any alternatives maybe?

Thank you!

Best regards, Lajos

[jeskew]

Hi @vlajos,

The SDK for PHP doesn't have support for client side encryption yet, but it's something that's on our radar. Are you specifically looking for interop with the Java and Ruby libraries (i.e., to be able to decrypt items encrypted by those SDKs and vice versa)?

[vlajos]

Hi @jeskew,

Thank you. We want to use php on both sides so probably we will implement something for ourselves. I just wanted to check if there is something already existing.

Best regards, Lajos

[jeskew]

This is a feature that we'd like to add. I'm going to leave this open as a feature request to track work and community support.

[vlajos]

Thank you!

[lynsei]

I'm working on a client-side token based encryption mechanism that plays nice with the sdk and follows the json web tokens standard. I'll let you know when the code matures a bit... shouldn't be too long :)

SImilar to this in concept: https://github.com/lexik/LexikJWTAuthenticationBundle/blob/master/Resources/doc/index.md

[davedevelopment]

@jeskew any news you could share on this? I'm about to embark on a feature that will be needing something like this and I don't want to have to start rolling my own if it's something that will make it's way in shortly. Also, for me, compatibility with the java and ruby SDKs would be a bonus.

[jeskew]

@davedevelopment For an official S3 encryption client in the PHP SDK, compatibility with the Java and Ruby SDKs is a must. That means that the client will need to be able to decrypt information encrypted with an AES GCM cipher mode, which is used by SES and the Java and Ruby SDKs.

Unfortunately, there's no good way to do so in any released version of PHP. The standard OpenSSL extension does not support AEAD (Authenticated Encrypt with Associated Data) cipher modes, so GCM encryption and decryption would rely on a different, non-standard extension or cypto code written in PHP. There is an accepted RFC adding GCM support to PHP's OpenSSL extension and an open RFC to make libsodium a standard extension. GCM support for will definitely land in PHP 7.1, and I'd like to know what the API will look like before writing code against it.

[davedevelopment]

@jeskew thanks for the clarification, I'll probably roll my own solution for now and re-encrypt everything once I can rely on the SDK.

[davedevelopment]

Having just re-read that issue, I've at least been able to create something that is compatible with the current ruby implementation, so going forward I might be ok, assuming the PHP SDK would be open to compatibility with the current ruby implementation as well.

[jeskew]

That's true. The current Ruby implementation allows you to select a cipher mode, so it is definitely possible to create an encryption client in PHP that is mostly compatible with Ruby and Java.

If you write a PHP encryption client only supports non-AEAD cipher modes, then anything it encrypts will be decipherable by the Ruby and Java implementations, and it will be able to decrypt a subset of the objects encrypted by the Ruby and Java clients. You could, for example, configure the Ruby and Java clients to only use AES-256-CBC and write a PHP client that can read and write that cipher.

[leith]

@davedevelopment Any chance of your encryption client addition to the PHP SDK being made available as a starting point for this PR/others who want to use it? :smile:

This seems like a feature that could be added without AEAD support initially, then add AEAD support once the API is available in PHP 7.1 (and adding notes that 7.1 would become the required PHP version for those wanting to use that cipher).

[davedevelopment]

@leith my code isn't all that integrated with the SDK like the other libs, it's sitting just above it. I'm happy to share this, though it's integrated with closed source code, so would rather do so by email, drop me a line and I'll sort something out for you.

[dearsina]

@jeskew Now that 7.1 has been released with GCM support, can we have client-side encryption for the PHP SDK? Pretty please? :)

https://wiki.php.net/rfc#php_71

[cjyclaire]

@dearsina Appreciate the feedback, it has been tracked in our backlog already and will be prioritize shortly I believe :).

[mariordev]

Any update regarding client-side encryption support added to the PHP SDK? It would be extremely useful! Thank you!

[dearsina]

@jeskew Hope you had a good winter. How's that backlog looking? 😄

[imshashank]

@dearsina Thanks for reaching out to us. We are working on the specs for adding client-side encryption at the current moment. Unfortunately, we don't have an estimated time for that as of now. Meanwhile, I will keep this thread updated.

[tolidano]

Pinging on this - how is this coming along?

[kstich]

Hi everyone! Please take a look at #1395 which provides an implementation for this request.

[kstich]

This was released in Version 3.38.0

[mariordev]

Thank you!!! 👍

[vlajos]

Thank you!