Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)
AWS Documentation » Amazon Simple Storage Service (S3) » Developer Guide » Data Protection » Using Data Encryption » Using Client-Side Encryption
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Using Client-Side Encryption

Overview

Instead of using Amazon S3's server-side encryption, you also have the option of encrypting your data before sending it to Amazon S3. You can build your own library that encrypts your objects data on the client side before uploading it to Amazon S3. Optionally, you can use the AWS SDK for Java, which you can use to automatically encrypt your data before uploading it to Amazon S3.

Currently, only the AWS SDK for Java supports client-side encryption.

Important

Your private encryption keys and your unencrypted data are never sent to AWS; therefore, it is important that you safely manage your encryption keys. If you lose your encryption keys, you won't be able to unencrypt your data.

The AWS SDK for Java uses a process called envelope encryption. In envelope encryption, you provide your encryption key to the Amazon S3 encryption client and the client takes care of the rest of the process. The process works like this:

  1. The Amazon S3 encryption client generates a one-time-use symmetric key (called the envelope symmetric key) that the client uses to encrypt your data.

  2. The client encrypts the envelope symmetric key using your private encryption key.

  3. The client then uploads the encrypted envelope key along with your encrypted data to Amazon S3. By default, the encrypted envelope key is stored as object metadata, x-amz-meta-x-amz-key, in Amazon S3.

Retrieving and decrypting the client-side encrypted data from Amazon S3 is the reverse of the encryption flow above:

  1. The client retrieves your encrypted data from Amazon S3 along with the encrypted envelope key.

  2. The client then decrypts the encrypted envelope key using your private encryption key.

  3. The client decrypts your data using the envelope key.

Your private encryption key that the client uses in the envelope encryption process can be an asymmetric key pair (composed of public and private keys) or it can be a symmetric key. We recommend using asymmetric keys for the increased level of security that they provide in the envelope encryption process.

For more information about the envelope encryption process, see the Client-Side Data Encryption with the AWS SDK for Java and Amazon S3 article.

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...