File is not encrypting in Aws s3 server side encryption (Customer provided Key) Android

Question

I am trying to implement encryption in amazon with custom keys, I am providing these 3 values in the header as per the documentation mention

objectMetadata.setHeader("x-amz-server-side-encryption-customer-algorithm", ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION)
objectMetadata.setHeader("x-amz-server-side-encryption-customer-key", key2)
objectMetadata.setHeader("x-amz-server-side-encryption-customer-key-MD5", md5)

These 3 values are required in the header but it's not encrypting files at amazon server, I am generating the customer-key and md5 key through this code

    @Throws(Exception::class)
fun encrypt(
    plaintext: ByteArray?,
    password:  CharArray,
    key: SecretKey,
    IV: ByteArray?,
    salt: ByteArray
): ByteArray? {
    val cipher = Cipher.getInstance("AES")
    val pbKeySpec = PBEKeySpec(password, salt, 1324, 256)
    val secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1")
    val keyBytes = secretKeyFactory.generateSecret(pbKeySpec).encoded
    val keySpec = SecretKeySpec(keyBytes, "AES")
    val ivSpec = IvParameterSpec(IV)
    cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec)
    return cipher.doFinal(plaintext)
}
val key2 = Base64.getEncoder().encodeToString(encrypt(utf8, chr, key, iv, salt)) // This is how am calling the function and making base64 customer key

Then for md5 am using this code to create md5 key

 val md = MessageDigest.getInstance("MD5")

 Files.newInputStream(Paths.get(files[j].path)).use { `is` ->
      DigestInputStream(`is`, md).use { }
 }

 val digest: ByteArray = md.digest(files[j].path.encodeToByteArray())
 val md5 = Base64.getEncoder().encodeToString(digest)

The file is successfully uploading to the aws server but the file is not encrypted, I can't seem to figure out what's the issue

I'm wondering how do check if file is encrypted or not. If you go into your bucket with your account which has all the rights to the KMS key and to do the decryption, you wont see anything different compared what you would see without encryption. In order to check if an object is encrypted, you have to either go into object properties and check if the `Server-side encryption settings` is enabled, or assume a role which does not have the necessary permissions to decrypt the object. — Ervin Szilagyi, Dec 24 '21 at 15:57
@Ervin thanks for the reply. Yes the server side encryption is enabled — Z-K-B, Dec 24 '21 at 20:26
Basically I'm try to dowload the file with its aes base64 encoded key. From. Net back end. Its not downloading with key provided but its successfully download and opened when not providing key. — Z-K-B, Dec 24 '21 at 20:28

score 0 · Answer 1 · answered Dec 28 '21 at 08:36

0

Are you adding these 3 keys in your header correctly?

objectMetadata.setHeader("x-amz-server-side-encryption-customer-algorithm", ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION)
objectMetadata.setHeader("x-amz-server-side-encryption-customer-key", key2)
objectMetadata.setHeader("x-amz-server-side-encryption-customer-key-MD5", md5)

answered Dec 28 '21 at 08:36

Abdullah

227
4
13

yes. the headers and their values are correct – Z-K-B Dec 28 '21 at 11:56
then this must be issue on the AWS side – Abdullah Dec 28 '21 at 12:44

File is not encrypting in Aws s3 server side encryption (Customer provided Key) Android

1 Answers1