Menu
Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)

Specifying Server-Side Encryption Using the AWS SDK for .NET

When using the AWS SDK for .NET to upload an object, you can use the WithServerSideEncryptionMethod property of PutObjectRequest to set the x-amz-server-side-encryption request header (see Specifying Server-Side Encryption Using the REST API). When you call the PutObject method of the AmazonS3 client as shown in the following C# code sample, Amazon S3 encrypts and saves the data.

Copy to clipboard
static AmazonS3 client; client = new AmazonS3Client(accessKeyID, secretAccessKeyID); PutObjectRequest request = new PutObjectRequest(); request.WithContentBody("Object data for simple put.") .WithBucketName(bucketName) .WithKey(keyName) .WithServerSideEncryptionMethod(ServerSideEncryptionMethod.AES256); S3Response response = client.PutObject(request); // Check the response header to determine if the object is encrypted. ServerSideEncryptionMethod destinationObjectEncryptionStatus = response.ServerSideEncryptionMethod;

In response, Amazon S3 returns the encryption algorithm that is used to encrypt your object data, which you can check using the ServerSideEncryptionMethod property.

For a working sample of how to upload an object, see Upload an Object Using the AWS SDK for .NET. For server-side encryption, set the ServerSideEncryptionMethod property by calling the WithServerSideEncryptionMethod method.

To upload large objects using the multipart upload API, you can specify server-side encryption for the objects that you are uploading.

  • When using the low-level multipart upload API (see Using the AWS .NET SDK for Multipart Upload (Low-Level API)) to upload a large object, you can specify server-side encryption in your InitiateMultipartUpload request. That is, you set the ServerSideEncryptionMethod property to your InitiateMultipartUploadRequest by calling the WithServerSideEncryptionMethod method.

  • When using the high-level multipart upload API (see Using the AWS .NET SDK for Multipart Upload (High-Level API)), the TransferUtility class provides methods (Upload and UploadDirectory) to upload objects. In this case, you can request server-side encryption using the TransferUtilityUploadRequest and TransferUtilityUploadDirectoryRequest objects.

Determining the Encryption Algorithm Used

To determine the encryption state of an existing object, you can retrieve the object metadata as shown in the following C# code sample.

Copy to clipboard
AmazonS3 client; client = new AmazonS3Client(accessKeyID, secretAccessKeyID); ServerSideEncryptionMethod objectEncryption; GetObjectMetadataRequest metadataRequest = new GetObjectMetadataRequest() .WithBucketName(bucketName) .WithKey(keyName); objectEncryption = client.GetObjectMetadata(metadataRequest) .ServerSideEncryptionMethod;

The encryption algorithm is specified with an enum. If the stored object is not encrypted (default behavior), then the ServerSideEncryptionMethod property of the object will default to None.

Changing Server-Side Encryption of an Existing Object (Copy Operation)

To change the encryption state of an existing object, you can make a copy of the object and delete the source object. Note that, by default, the copy API will not encrypt the target, unless you explicitly request server-side encryption of the destination object. The following C# code sample makes a copy of an object. The request explicitly specifies server-side encryption for the destination object.

Copy to clipboard
AmazonS3 client; client = new AmazonS3Client(accessKeyID, secretAccessKeyID); CopyObjectResponse response = client.CopyObject(new CopyObjectRequest() .WithSourceBucket(sourceBucketName) .WithSourceKey(sourceObjetKey) .WithDestinationBucket(targetBucketName) .WithDestinationKey(targetObjectKey) .WithServerSideEncryptionMethod(ServerSideEncryptionMethod.AES256) ); // Check the response header to determine if the object is encrypted. ServerSideEncryptionMethod destinationObjectEncryptionStatus = response.ServerSideEncryptionMethod;

For a working sample of how to copy an object, see Copy an Object Using the AWS SDK for .NET. You can specify server-side encryption in the CopyObjectRequest object as shown in the preceding code sample.