search

eleven41 / aws-lambda-encrypt-s3-objects

An AWS Lambda function to encrypt S3 objects using server-side AES256 encryption as they are added to the bucket.
MIT License
18 stars 15 forks source link

Using SSECustomerAlgorithm #3

Open airbone42 opened 8 years ago

airbone42 commented 8 years ago

Hi,

great script, thanks a lot.

Unfortunately, we want to use custom keys which we generate on-the-fly.

Did anyone ever try to implement that?

We already changed the copyObject part to following snippet: `
s3.copyObject({ Bucket: bucket, Key: key,

                    CopySource: encodeURIComponent(bucket + '/' + key),
                    MetadataDirective: 'COPY',
                    SSECustomerAlgorithm: 'AES256',
                    SSECustomerKey: 'key_=_string_of_exactly_32_bytes',
                    SSECustomerKeyMD5: '6535256929cded9f17f06e98de723096',
                    StorageClass: storageClass

` Unfortunately, JS SDK documentation doesn't state clearly in which format customer-key and md5 should be transfered. So we didn't get it running as S3 just replies with a bad request.

mwhouser commented 8 years ago

Take a look here:

http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html

According to these docs:

x-amz-server-side​-encryption​-customer-algorithm: Use a value of "AES256".

x-amz-server-side​-encryption​-customer-key:

Specifies the customer-provided base64-encoded encryption key for Amazon S3 to use in encrypting data.

So take your encryption key and base64-encode it.

x-amz-server-side​-encryption​-customer-key-MD5:

Specifies the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321.

So do the same thing: base64-encode the MD5 digest.