AWS SDK support for Amazon S3 client-side encryption
The following tables list the cryptographic algorithms and features that are supported by the language–specific AWS SDKs. For information about how to use the features for a particular SDK, see the developer guide for that SDK.
If you are new to cryptography, see the AWS Cryptographic Services and Tools Guide to learn the terms and concepts.
The AWS Encryption SDK is a client-side encryption library that is independent of the AWS SDKs. You can use this encryption library to more easily implement encryption best practices. Unlike the Amazon S3 encryption clients in the language–specific AWS SDKs, the AWS Encryption SDK returns a portable ciphertext that is not tied to Amazon S3, does not require an AWS account, and can be used to encrypt or decrypt any unformatted data.
The AWS Encryption SDK and the Amazon S3 encryption clients are not compatible because they produce ciphertexts with different data formats. For more information about the AWS Encryption SDK, see the AWS Encryption SDK Developer Guide.
AWS SDK features for Amazon S3 client-side encryption
To use the Amazon S3 client-side encryption library to encrypt data before uploading to Amazon S3, you must provide a root key to the Amazon S3 encryption client. You can provide a client-side root key or use an AWS KMS key from AWS Key Management Service (AWS KMS) . The AWS KMS keys make it easier to create and manage cryptographic keys securely. For more information about these features, choose the links provided in the Feature column.
For details about how to use the features for a particular SDK, see the SDK's developer guide.
In the following table, each column indicates whether the AWS Command Line Interface or SDK for a specific language supports the features used in client-side encryption.
| Feature | Java | .NET | Ruby v2 | AWS CLI | Boto3 | PHP v3 | JavaScript | Go | C++ |
|---|---|---|---|---|---|---|---|---|---|
| Amazon S3 client-side encryption | Yes | Yes | Yes | No | No | Yes | No | Yes | Yes |
| AWS KMS keys | Yes | Yes | Yes | No | No | Yes | No | Yes | Yes |
For information about the v2 Amazon S3 encryption clients that support client-side
encryption, see our blog post about Updates to the Amazon S3 Encryption Client
For more details about the legacy v1 Amazon S3 encryption client, see the following blog posts.
Amazon S3 encryption client cryptographic algorithms
The following table lists the algorithms that each language–specific AWS SDK supports for encrypting keys and data when using the Amazon S3 encryption client.
| Algorithm | Java | .NET | Ruby v2 | AWS CLI | Boto3 | PHP v3 | JavaScript | Go | C++ |
|---|---|---|---|---|---|---|---|---|---|
| Key Wrap: RSA-OAEP-SHA1 | Yes | Yes | Yes | No | No | No | No | No | No |
| Key Wrap: AES/GCM | Yes | Yes | Yes | No | No | No | No | No | Yes |
| Key Wrap: KMS+context | Yes | Yes | Yes | No | No | Yes | No | Yes | Yes |
| Key Wrap: AES/ECB | Deprecated | Deprecated | Deprecated | No | No | No | No | No | No |
| Key Wrap: AESWrap | Deprecated | Deprecated | Deprecated | No | No | No | No | No | Deprecated |
| Key Wrap: RSA | Deprecated | No | Deprecated | No | No | No | No | No | No |
| Key Wrap: KMS | Deprecated | Deprecated | Deprecated | No | No | Deprecated | No | Deprecated | Deprecated |
| Content Encryption: AES/GCM | Yes | Yes | Yes | No | No | Yes | No | Yes | Yes |
| Content Encryption: AES/CBC | Deprecated | No | Deprecated | No | No | No | No | Deprecated | Deprecated |
For more information about authenticated and
encryption-only modes, see the Amazon S3 Client-Side Authenticated Encryption
