AWS Developer Tools Blog
Using the AWS SDK for Go Encryption Client
Overview
AWS SDK for Go released the encryption client last year, and some of our customers have asked us how to use it. We’re very excited to show you some examples in this blog post. Before we get into the examples, let’s look at what client-side encryption is and why you might want to use it.
Client-side encryption is the act of encrypting or decrypting on the client’s side and not relying on a service to do the encryption for you. This has many added benefits, including enabling you to choose what to use to encrypt your data. It also enables extra security so that only those who have the master key can decrypt the data.
The crypto client has three major components: key wrap handler, cipher builder, and client. We use the key wrap handler to generate and encrypt the iv
and key
. Then we use those keys with the cipher builder to build a new cipher. Lastly, we use all these parts to create a client. To learn more about this process, see envelope encryption.
Prerequisite
To run these examples, we need
Encryption and Decryption
In our implementation, we wanted to provide interoperability across all SDKs and to give customers an easy way to extend the s3crypto package. Let’s first get into an example of putting a simple “hello world” object into S3.
Now that wasn’t too hard! It looks almost identical to the S3 PutObject! Let’s move on to an example of decryption.
As the code shows, there’s no difference between using the Amazon S3 client’s GetObject
versus the s3crypto.DecryptionClient.GetObject
.
Lost or Deleted Master Key
If you lose or delete your master key, there’s no way to decrypt your data. The beauty of client-side encryption is that the master key is never stored with your data. This allows you to specify who can view your data.
Supported Algorithms
The AWS SDK for Go currently supports AWS KMS for key wrapping and AES GCM
as a content cipher. However, some users might not want to use AES GCM
or KMS for their ciphers. The SDK allows any user to specify any cipher as long as it satisfies our interfaces. With that said, the goal of this crypto client is to allow interoperability between the crypto clients of other SDKs and enable easy extensibility. Please let us know in the comments how you’re using or extending the crypto client.
The documentation for Amazon S3 Encryption Client can be found here.
Check out other SDKs that support the Amazon S3 Encryption Client
AWS SDK for C++
AWS SDK for Java
AWS SDK for Ruby