amazon s3 - AWS S3 SSE GetObject requires secret key -


the idea generate random key every file being uploaded, pass key s3 in order encrypt , store key in database. once user wants access file, key read database , passed s3 once again.

the first part works. objects uploaded , encrypted successfully, have issues retrieving them.

retrieving files request headers set:

when setting request headers such x-amz-server-side-encryption-customer-algorithm etc. when performing request resource, works, , able access it. since want these resources src <img>-tag, cannot perform requests require headers set.

thus, thought about:

pre signing urls:

to create pre signed url, built hmac sha1 of required string , used signature. calculated signature accepted s3 following error when requesting pre signed url:

requests specifying server side encryption customer provided keys must provide appropriate secret key.

the url has form:

https://s3-eu-west-1.amazonaws.com/bucket-id/resource-id?x-amz-server-side-encryption-customer-algorithm=aes256&awsaccesskeyid=myaccesskey&expires=1429939889&signature=generatedsignature

the reason why error shown seems pretty clear me. @ no point in signing process encryption key used. thus, request cannot work. result, added encryption key base64, , md5 representation parameters url. url has following format:

https://s3-eu-west-1.amazonaws.com/bucket-id/resource-id?x-amz-server-side-encryption-customer-algorithm=aes256&awsaccesskeyid=myaccesskey&expires=1429939889&signature=generatedsignature&x-amz-server-side-encryption-customer-key=base64_key&x-amz-server-side-encryption-customer-key-md5=md5_key

although key present (imho), same error message.

question know, how can access encrypted files get request not provide headers such x-amz-server-side-encryption-customer-algorithm?

it seems intuitive enough me trying should have worked.

apparently, though, when "headers"...

you must provide encryption headers in client application.

http://docs.aws.amazon.com/amazons3/latest/dev/serversideencryptioncustomerkeys.html#sse-c-how-to-programmatically-intro

... indeed mean headers , s3 doesn't accept these particular values when delivered part of query string, expect, since s3 flexible in regard.

i've tested this, , that's conclusion i've come to: doing isn't supported.

a get request x-amz-server-side-encryption-customer-algorithm=aes256 included in query string (and signature), along x-amz-server-side-encryption-customer-key , x-amz-server-side-encryption-customer-key-md5 headers work expected... believe you've discovered... putting key , key-md5 in query string, or without including in signature seems dead end.

it seemed strange, @ first, wouldn't allow in query string, since many other things allowed there... again, if you're going trouble of encrypting something, there seems little point in revealing encryption key in link... not mention key captured in s3 access logs, leaving encryption seeming pointless around -- , perhaps motivation requiring sent in headers , not query string.

based on i've found in testing, though, don't see way use encrypted objects customer-provided keys in hyperlinks, directly.

indirectly, of course, reverse proxy in front of s3 bucket translation you, taking appropriate values query string , placing them headers, instead... it's not clear me what's gained using customer-provided encryption keys downloadable objects, compared letting s3 handle at-rest encryption aws-managed keys. at-rest encryption you're getting either way.


Comments

Post a Comment

Popular posts from this blog

asp.net mvc - SSO between MVCForum and Umbraco7 -

i need integrate sso between mvcforum (forum of company) , umbraco7 (manages cms company). however struggling shared authentication work. tried several ways suggested on other threads still not running expected. here did: 1. in mvcforum (forum.mywebsite.com) 1.1. machine key in web.xml: <machinekey validationkey="the same key umbraco7" decryptionkey="the same key umbraco7" validation="sha1" decryption="aes" /> 1.2. authenticate forms in web.xml <forms name="my-sso-auth" protection="all" path="/" timeout="43200" domain="forum.mywebsite.com" loginurl="/members/logon" enablecrossappredirects="true" /> 2. in umbraco7 (news.mywebsite.com) 2.1. machine key in web.xml: <machinekey validationkey="the same key mvcforum" decryptionkey="the same key mvcforum" validation="sha1" decryption="aes" /> 2.2. a
Read more

Python Tkinter keyboard using bind -

i have problem using bind option can click button in keyboard, , call function once key pressed. tried taking other codes have similar purpose , saw i'm doing pretty same, though still have problem must've missed. thankful if me this. here's code: # -*- coding: utf-8 -*- #imports tkinter import * pil import imagetk, image import time import tkmessagebox #===========================================================================================================================================# #tkinter class class app(frame): def __init__(self, master=none): frame.__init__(self, master) self.pack() #===========================================================================================================================================# #game pieces classes class board: def __init__(self, rows = 7, columns = 6, picture_height = none, picture_width = none): self.rows = rows self.columns = columns self.picture
Read more

ubuntu - Selenium Node Not Connecting to Hub, Not Opening Port -

i'm trying set demo selenium grid. have digital ocean ubuntu 14.02 droplet. (i have 2 , tried set using 2 different machines got nowhere.) i'm trying run hub , node both locally. here input both hub, node, , nmap results. https://gist.github.com/mekhami/d5bbecca5ff0de9d2dc9 so, node starting tcp connection reset , port it's supposed operate on closed. i have had no luck in number of different options , configurations work. but... of course, worked randomly once. don't know why, don't know did, know 1 brief moment, node connected , saw on grid console. tried run test , went down again , i've never seen come up. please let me know more information can provide. update: randomly came online again. don't know happened, might related timeout or time_wait or going on. this because vm/server not have enough entropy available. to resolve problem, install haveged (or other similar things). the instructions of how install haveged on ubu
Read more