AWS SDK support for Amazon S3 client-side encryption - AWS General Reference

AWS SDK support for Amazon S3 client-side encryption

The following tables list the cryptographic algorithms and features that are supported by the language–specific AWS SDKs. For information about how to use the features for a particular SDK, see the developer guide for that SDK.

If you are new to cryptography, see Cryptography Basics in the AWS Key Management Service Developer Guide to get familiar with terms and concepts.

Note

The AWS Encryption SDK is an encryption library that is separate from the language–specific SDKs. You can use this encryption library to more easily implement encryption best practices in Amazon S3. Unlike the Amazon S3 encryption clients in the language–specific AWS SDKs, the AWS Encryption SDK is not tied to Amazon S3 and can be used to encrypt or decrypt data to be stored anywhere.

The AWS Encryption SDK and the Amazon S3 encryption clients are not compatible because they produce ciphertexts with different data formats. For more information about the AWS Encryption SDK, see the AWS Encryption SDK Developer Guide.

AWS SDK features for Amazon S3 client-side encryption

To use the Amazon S3 client-side encryption feature to encrypt data before uploading to Amazon S3, you must provide a master key to the Amazon S3 encryption client. You can provide a client-side master key or use the AWS Key Management Service (AWS KMS)–managed master keys feature. The AWS KMS–managed master keys feature provides an easy way to create and manage keys that are used to encrypt data. For more information about these features, choose the links provided in the Feature column.

For details about how to use the features for a particular SDK, see the SDK's developer guide.

In the following table, each column indicates whether the AWS Command Line Interface or SDK for a specific language supports the features used in client-side encryption.

Feature Java .NET Ruby v2 AWS CLI Boto3 PHP v3 JavaScript Go C++
Amazon S3 client-side encryption Yes Yes Yes No No Yes No Yes Yes
AWS KMS–managed master keys Yes Yes Yes No No Yes No Yes Yes

For information about the v2 Amazon S3 encryption clients that support client-side encryption, see our blog post about Updates to the Amazon S3 Encryption Client.

For more details about the legacy v1 Amazon S3 encryption client, see the following blog posts.

Amazon S3 encryption client cryptographic algorithms

The following table lists the algorithms that each language–specific AWS SDK supports for encrypting keys and data when using the Amazon S3 encryption client.

Algorithm Java .NET Ruby v2 AWS CLI Boto3 PHP v3 JavaScript Go C++
Key Wrap: RSA-OAEP-SHA1 Yes Yes Yes No No No No No No
Key Wrap: AES/GCM Yes Yes Yes No No No No No Yes
Key Wrap: KMS+context Yes Yes Yes No No Yes No Yes Yes
Key Wrap: AES/ECB Deprecated Deprecated Deprecated No No No No No No
Key Wrap: AESWrap Deprecated Deprecated Deprecated No No No No No Deprecated
Key Wrap: RSA Deprecated No Deprecated No No No No No No
Key Wrap: KMS Deprecated Deprecated Deprecated No No Deprecated No Deprecated Deprecated
Content Encryption: AES/GCM Yes Yes Yes No No Yes No Yes Yes
Content Encryption: AES/CBC Deprecated No Deprecated No No No No Deprecated Deprecated

For more information about authenticated and encryption-only modes, see the Amazon S3 Client-Side Authenticated Encryption blog post.