In case you want to use server side encryption with your own keys
Let’s create a bin key:
mirettam@doraemon:~$ cat /dev/random | head -c 32 > key.bin
Let’s upload an object:
First check the md5sum of the object:
mirettam@doraemon:~$ md5sum awscliv2.zip e6b46dd7cac2629a544ab343df00324f awscliv2.zip
Then PUT the object:
mirettam@doraemon:~$ aws s3api put-object --key awscliv2.zip --body awscliv2.zip --sse-customer-algorithm AES256 --sse-customer-key fileb://key.bin --bucket storagegrid-training
{
"ETag": "\"0edaf675a5c6d28c3c29d8b7f627a7ae\"",
"SSECustomerAlgorithm": "AES256",
"SSECustomerKeyMD5": "eUhaDMfLGFJZ21BC4qX2qg=="
}
Let’s try to retrieve the object using the keys.
mirettam@doraemon:~$ aws s3api get-object --key awscliv2.zip --sse-customer-algorithm AES256 --sse-customer-key fileb://key.bin --bucket storagegrid-training awscli2.zip
{
"AcceptRanges": "bytes",
"LastModified": "2020-08-18T11:04:02+00:00",
"ContentLength": 33159785,
"ETag": "\"0edaf675a5c6d28c3c29d8b7f627a7ae\"",
"ContentType": "binary/octet-stream",
"Metadata": {},
"SSECustomerAlgorithm": "AES256",
"SSECustomerKeyMD5": "eUhaDMfLGFJZ21BC4qX2qg=="
}
Check the md5sum of the retrieved object.
mirettam@doraemon:~$ md5sum awscli2.zip e6b46dd7cac2629a544ab343df00324f awscli2.zip
Let’s try to retrieve the object without using any key, it should fail:
mirettam@doraemon:~$ aws s3api get-object --key awscliv2.zip --bucket storagegrid-training awscli3.zip An error occurred (InvalidRequest) when calling the GetObject operation: The object was stored using a form of Server Side Encryption. The correct parameters must be provided to retrieve the object.