AWS Documentation » General Reference » AWS SDK Support for Amazon S3 Client-Side Encryption

AWS SDK Support for Amazon S3 Client-Side Encryption

The following tables provide lists of cryptographic algorithms and features that are supported by the language–specific AWS SDKs. For details about how to use the features for a particular SDK, see that SDK's developer guide.

If you are new to cryptography, see Cryptography Basics in the AWS Key Management Service Developer Guide to get familiar with terms and concepts.

Note

The AWS Encryption SDK is an encryption library that is separate from the language–specific SDKs. You can use this encryption library to more easily implement encryption best practices in your application. Unlike the Amazon S3 encryption clients in the language–specific AWS SDKs, the Encryption SDK is not tied to Amazon S3 and can be used to encrypt or decrypt data to be stored anywhere.

The Encryption SDK and the Amazon S3 encryption clients are not compatible because they produce ciphertexts with different data formats. For more details on the Encryption SDK see the AWS Encryption SDK Developer Guide.

AWS SDK Features for Amazon S3 Client-Side Encryption

In the following table, each column indicates whether an AWS SDK for a specific language supports the features used in client-side encryption.

To use the Amazon S3 client-side encryption feature to encrypt data before uploading to Amazon S3, you must provide a master key to the Amazon S3 encryption client. You can provide a client-side master key or use the AWS KMS–managed master keys feature. The AWS KMS–managed master keys feature provides an easy way to create and manage keys used to encrypt data. For more details about these features, choose the links provided in the Feature column.

For details about how to use the features for a particular SDK, see the SDK's developer guide.

Feature	Java	.NET	Ruby v2	CLI	Boto3	PHP v3	JavaScript	Go	C++
Amazon S3 client-side encryption	Yes	Yes	Yes	No	No	No	No	Yes	Yes
AWS KMS–managed master keys	Yes	No	Yes	No	No	No	No	Yes	Yes

For more details about the Amazon S3 encryption client in each language–specific SDK that supports client-side encryption, see the following blog posts.

• Client-Side Data Encryption for Amazon S3 Using the AWS SDK for Java

• Client Side Data Encryption with AWS SDK for .NET and Amazon S3

• Using Client-Side Encryption for S3 in the AWS SDK for Ruby

• Using the AWS SDK for Go Encryption Client

• Amazon S3 Encryption Client Now Available for C++ Developers

Amazon S3 Encryption Client Cryptographic Algorithms

The following table lists the algorithms that each language–specific AWS SDK supports for encrypting keys and data when using the Amazon S3 encryption client.

Algorithm	Java	.NET	Ruby v2	CLI	Boto3	PHP v3	JavaScript	Go	C++
AES/ECB key wrap (not recommended)	Yes	Yes	Yes	No	No	No	No	No	No
AES/Wrap key wrap	Yes	No	No	No	No	No	No	No	Yes
RSA key wrap	Yes	No	Yes	No	No	No	No	No	No
AES/CBC content encryption (Encryption Only mode)	Yes	Yes	Yes	No	No	No	No	Yes	Yes
AES/GCM content encryption (Strict Authentication mode)	Yes	No	Yes	No	No	No	No	Yes	Yes
AES/CTR content encryption (Authenticated mode only used for decrypting in range GETs)	Yes	No	Yes	No	No	No	No	No	Yes

For more details on Authenticated and Encryption-only modes, see the Amazon S3 Client-Side Authenticated Encryption blog post.