AWS 服务器端加密 C#答案

【问题标题】：AWS Server-Side Encryption C#AWS 服务器端加密 C#
【发布时间】：2017-05-16 10:43:59
【问题描述】：

您好，我们正在尝试使用 AWS S3 上传和获取带有加密的文件 URL。

我们正在使用此代码上传：

  using (var client = GetS3ClientConnection(AccessKey, SecretKey, RegionEndpoint))
{
var request = new PutObjectRequest
   {
        BucketName = FilePathInS3,
        Key = FileNameInS3,
        ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256,
        ServerSideEncryptionCustomerProvidedKey = base64Key //= "Is this ServerSideEncryptionKeyManagementServiceKeyId?"
    };
    using (var ms = new MemoryStream(fileByteArray))
    {
        request.InputStream = ms;
        client.PutObject(request);
    }
}

这个得到：

using (var client = GetS3ClientConnection(AccessKey, SecretKey, RegionEndpoint))
{
    GetPreSignedUrlRequest request = new GetPreSignedUrlRequest
    {
        BucketName = FilePathInS3,
        Key = FileNameInS3,
        Expires = 1,
        Protocol = Protocol.HTTP,
        ServerSideEncryptionKeyManagementServiceKeyId = "KEY"
    };
    url = client.GetPreSignedURL(request);
}

当我们获取 URL 并尝试访问它时，我们得到了 access denied invalid Key。

怎么了？请帮忙

【问题讨论】：

标签： c# amazon-web-services amazon-s3

【解决方案1】：

我认为为了使用 AmazonS3 和 c# 进行加密/解密，您需要设置 PutObjectRequest 和 GetObjectRequest 对象的以下属性：

ServerSideEncryptionCustomerMethod =AES256
ServerSideEncryptionCustomerProvidedKey=base64(secretkey)
ServerSideEncryptionCustomerProvidedKeyMD5 : md5(base64(secretkey))

c#代码示例：

            var amazonS3Config = new AmazonS3Config();
            amazonS3Config.RegionEndpoint = RegionEndpoint.USEast1;// use your region endpoint
            var s3Client = new AmazonS3Client("your access key", "your secret key", amazonS3Config);
            PutObjectRequest request = new PutObjectRequest();
            request.BucketName = "your bucket name";
            request.Key = "your file key name";
            request.InputStream = File.Open(@"d:\SmallData\Doc1.pdf", FileMode.OpenOrCreate);
            // please generate your own keys 
            String CustomerKey = "qsiFY0xPeBtZn55eaT6i/bFLgpkO30QKNucYMGlbnck=";
            String CustomerKeyMD5 = "RyOu+4ghh+CgGcPryIvPdw==";

            request.ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256;                
            request.ServerSideEncryptionCustomerProvidedKey = CustomerKey;
            request.ServerSideEncryptionCustomerProvidedKeyMD5 = CustomerKeyMD5;
            s3Client.PutObject(request); // save the file encrypted to amazonS3

从 AmazonS3 检索加密内容：

        GetObjectRequest getRequest = new GetObjectRequest();
        getRequest.BucketName = "your bucket name";
        getRequest.Key = "your file key name";
        getRequest.ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256;
        getRequest.ServerSideEncryptionCustomerProvidedKey = CustomerKey;
        getRequest.ServerSideEncryptionCustomerProvidedKeyMD5 = CustomerKeyMD5;
        using (GetObjectResponse response = s3Client.GetObject(getRequest))
        {
            using (Stream test = response.ResponseStream)
            { 
                using(FileStream file = new FileStream(@"d:\SmallData\result\test.pdf", FileMode.OpenOrCreate))
                {
                    CopyStream(test, file);
                }
            }
        }

我希望这可以帮助你。关于它的一些参考链接如下： https://sprightlysoft.com/blog/?p=209 https://security.stackexchange.com/questions/111202/aws-s3-server-side-encryption-client-provided-keys-php http://docs.aws.amazon.com/AmazonS3/latest/dev/SSEUsingDotNetSDK.html

【讨论】：