Specifying Server-Side Encryption Using the AWS SDK for Java
When using the AWS SDK for Java to upload an object, you can use the
ObjectMetadata property of the
PutObjectRequest to set the
x-amz-server-side-encryption request header (see Specifying Server-Side Encryption Using the REST API). When you call the
PutObject method of the AmazonS3 client as shown in the following Java
code sample, Amazon S3 encrypts and saves the data.
File file = new File(uploadFileName); PutObjectRequest putRequest = new PutObjectRequest( bucketName, keyName, file); // Request server-side encryption. ObjectMetadata objectMetadata = new ObjectMetadata(); objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION); putRequest.setMetadata(objectMetadata); PutObjectResult response = s3client.putObject(putRequest); System.out.println("Uploaded object encryption status is " + response.getSSEAlgorithm());
In response, Amazon S3 returns the encryption algorithm used for encrypting your object data,
which you can check using the
For a working sample that shows how to upload an object, see Upload an Object Using the AWS SDK for Java. For
server-side encryption, add the
ObjectMetadata property to your request.
When uploading large objects using multipart upload API, you can request server-side encryption for the object that you are uploading.
When using the low-level multipart upload API (see Upload a File) to upload a large object, you can specify server-side encryption when you initiate the multipart upload. That is, you add the
ObjectMetadataproperty by calling the
When using the high-level multipart upload API (see Using the AWS Java SDK for Multipart Upload (High-Level API)), the
TransferManagerclass provides methods to upload objects. You can call any of the upload methods that take
ObjectMetadataas a parameter.
Determining the Encryption Algorithm Used
To determine the encryption state of an existing object, you can retrieve the object metadata as shown in the following Java code sample.
GetObjectMetadataRequest request2 = new GetObjectMetadataRequest(bucketName, keyName); ObjectMetadata metadata = s3client.getObjectMetadata(request2); System.out.println("Encryption algorithm used: " + metadata.getSSEAlgorithm());
If server-side encryption is not used for the object that is stored in Amazon S3, the method returns null.
Changing Server-Side Encryption of an Existing Object (Copy Operation)
To change the encryption state of an existing object, you make a copy of the object and
delete the source object. Note that, by default, the copy API will not encrypt the
target, unless you explicitly request server-side encryption. You can request the
encryption of the target object by using the
ObjectMetadata property to
specify server-side encryption in the
CopyObjectRequest as shown in the
following Java code sample.
CopyObjectRequest copyObjRequest = new CopyObjectRequest( sourceBucket, sourceKey, targetBucket, targetKey); // Request server-side encryption. ObjectMetadata objectMetadata = new ObjectMetadata(); objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION); copyObjRequest.setNewObjectMetadata(objectMetadata); CopyObjectResult response = s3client.copyObject(copyObjRequest); System.out.println("Copied object encryption status is " + response.getSSEAlgorithm());
For a working sample of how to copy an object, see Copy an Object Using the AWS SDK for Java. You can specify server-side encryption
CopyObjectRequest object as shown in the preceding code