Client-side encryption for S3
You can find the source on GitHub.
- Python 3.6+
Note
If you have not already installed cryptography, you might need to install additional prerequisites as detailed in the cryptography installation guide for your operating system.
$ pip install s3-encryption-sdk
import boto3
from s3_encryption_sdk import EncryptedClient
from s3_encryption_sdk.materials_providers import KmsMaterialsProvider
materials_provider = KmsMaterialsProvider(
key_id="alias/YourAlias",
client=boto3.client("kms", region_name="us-east-1"),
)
s3 = boto3.client("s3", region_name="us-east-1")
crypto_s3 = EncryptedClient(
client=s3,
materials_provider=materials_provider,
)
key = "4711"
plaintext = "foo bar"
crypto_s3.put_object(
Bucket=bucket.name,
Key=key,
Body=plaintext,
)
encrypted_obj = s3.get_object(
Bucket=bucket.name,
Key="object",
)
decrypted_obj = crypto_s3.get_object(
Bucket=bucket.name,
Key="object",
)
assert plaintext != encrypted_obj["Body"].read().decode("utf8")
assert plaintext == decrypted_obj["Body"].read().decode("utf8")