Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Add Client Side Encryption to S3 client
See original GitHub issueDescribe the feature
While there is support for client-side encryption in other popular language SDKs like Java, Go or C++ (https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html) for encrypting data before it’s sent to AWS S3 this is not supported by boto3 (Python3).
The documentation does talk about using the Encryption SDK (https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html), but this is produces a different data format:
The AWS Encryption SDK and the Amazon S3 encryption clients are not compatible because they produce ciphertexts with different data formats. For more information about the AWS Encryption SDK, see the AWS Encryption SDK Developer Guide.
(https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html)
Use Case
With no support for the otherwise common format for client side encryption, that is used for other language SDKs, it’s not possible to e.g. write encrypted objects via Java and to read them back via a Python3 client using boto3.
Also there are quite a few tools using boto3 as S3 client library which would then allow for client side encryption to be used:
- Most prominently the AWS CLI
- Ansible https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html
- OpenStack Cinder Backup driver for S3 https://docs.openstack.org/cinder/latest/configuration/block-storage/backup/s3-backup-driver.html
- …
Proposed Solution
There have been attempts to wrap the boto3 client and to add client encryption externally, like
- @boldfield implemented via https://github.com/boldfield/s3-encryption, continued by @stephensorriaux (https://github.com/StephenSorriaux/s3-encryption)
- @terrycain added this for aioboto3, see https://github.com/terrycain/aioboto3/blob/07d6cea1214a9bb6529f334e375134554ad7ab58/README.rst#amazon-s3-client-side-encryption, unfortunately only for KMS managed keys yet
- …
Proposed solution would be to have this feature natively provided by boto3 and to make the SDKs compatible in this regard.
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
SDK version used
any
Environment details (OS name and version, etc.)
Linux
Issue Analytics
- State:
- Created a year ago
- Reactions:3
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @frittentheke thanks for following up. There is no public roadmap for this to my knowledge. But the Cryptography team said this feature isn’t likely to be implemented in the immediate future. I recommend reaching out through AWS Support to seek more information as needed.
Thanks @frittentheke for the feature request. The cryptography team is working towards taking ownership of the S3 Encryption Client implementations in various languages. Supporting boto3 is on their roadmap but they don’t have a concrete timeline as of yet.