Menu
Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)

Specifying Server-Side Encryption Using the AWS SDK for Java

When using the AWS SDK for Java to upload an object, you can use the ObjectMetadata property of the PutObjectRequest to set the x-amz-server-side-encryption request header (see Specifying Server-Side Encryption Using the REST API). When you call the PutObject method of the AmazonS3 client as shown in the following Java code sample, Amazon S3 encrypts and saves the data.

Copy
File file = new File(uploadFileName); PutObjectRequest putRequest = new PutObjectRequest( bucketName, keyName, file); // Request server-side encryption. ObjectMetadata objectMetadata = new ObjectMetadata(); objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION); putRequest.setMetadata(objectMetadata); PutObjectResult response = s3client.putObject(putRequest); System.out.println("Uploaded object encryption status is " + response.getSSEAlgorithm());

In response, Amazon S3 returns the encryption algorithm used for encrypting your object data, which you can check using the getSSEAlgorithm method.

For a working sample that shows how to upload an object, see Upload an Object Using the AWS SDK for Java. For server-side encryption, add the ObjectMetadata property to your request.

When uploading large objects using multipart upload API, you can request server-side encryption for the object that you are uploading.

  • When using the low-level multipart upload API (see Upload a File) to upload a large object, you can specify server-side encryption when you initiate the multipart upload. That is, you add the ObjectMetadata property by calling the InitiateMultipartUploadRequest.setObjectMetadata method.

  • When using the high-level multipart upload API (see Using the AWS Java SDK for Multipart Upload (High-Level API)), the TransferManager class provides methods to upload objects. You can call any of the upload methods that take ObjectMetadata as a parameter.

Determining the Encryption Algorithm Used

To determine the encryption state of an existing object, you can retrieve the object metadata as shown in the following Java code sample.

Copy
GetObjectMetadataRequest request2 = new GetObjectMetadataRequest(bucketName, keyName); ObjectMetadata metadata = s3client.getObjectMetadata(request2); System.out.println("Encryption algorithm used: " + metadata.getSSEAlgorithm());

If server-side encryption is not used for the object that is stored in Amazon S3, the method returns null.

Changing Server-Side Encryption of an Existing Object (Copy Operation)

To change the encryption state of an existing object, you make a copy of the object and delete the source object. Note that, by default, the copy API will not encrypt the target, unless you explicitly request server-side encryption. You can request the encryption of the target object by using the ObjectMetadata property to specify server-side encryption in the CopyObjectRequest as shown in the following Java code sample.

Copy
CopyObjectRequest copyObjRequest = new CopyObjectRequest( sourceBucket, sourceKey, targetBucket, targetKey); // Request server-side encryption. ObjectMetadata objectMetadata = new ObjectMetadata(); objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION); copyObjRequest.setNewObjectMetadata(objectMetadata); CopyObjectResult response = s3client.copyObject(copyObjRequest); System.out.println("Copied object encryption status is " + response.getSSEAlgorithm());

For a working sample of how to copy an object, see Copy an Object Using the AWS SDK for Java. You can specify server-side encryption in the CopyObjectRequest object as shown in the preceding code sample.