Amazon Simple Storage Service
开发人员指南 (API 版本 2006-03-01)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

使用AWS SDK for Java指定服务器端加密

当您使用AWS SDK for Java上传对象时,可以使用服务器端加密为对象加密。要请求服务器端加密,请使用 PutObjectRequestObjectMetadata 属性设置 x-amz-server-side-encryption 请求标头。当您调用 AmazonS3ClientputObject() 方法时,Amazon S3 将加密并保存数据。

当使用分段上传 API 上传对象时,还可以请求服务器端加密:

  • 使用高级别分段上传 API 时,请在上传对象时使用 TransferManager 方法将服务器端加密应用于对象。可以使用将 ObjectMetadata 视为参数的任一上传方法。有关更多信息,请参阅 使用适用于分段上传的 AWS Java 开发工具包 (高级别 API)

  • 当使用低级别分段上传 API 时,应在启动分段上传时指定服务器端加密。您通过调用 InitiateMultipartUploadRequest.setObjectMetadata() 方法添加 ObjectMetadata 属性。有关更多信息,请参阅 上传文件

不能直接更改对象的加密状态 (加密未加密的对象或解密已加密的对象)。要更改对象的加密状态,请为对象创建一个副本,从而为副本指定所需的加密状态,然后删除原始对象。仅当您显式请求服务器端加密时,Amazon S3 才会加密复制的对象。要通过 Java API 请求加密复制的对象,请使用 ObjectMetadata 属性在 CopyObjectRequest 中指定服务器端加密。

例 示例

以下示例演示如何使用AWS SDK for Java设置服务器端加密。它展示了如何执行以下任务:

  • 使用服务器端加密上传新对象

  • 通过为对象创建副本来更改对象的加密状态 (本示例中为加密之前未加密的对象)

  • 检查对象的加密状态

有关服务器端加密的更多信息,请参阅使用 REST API 指定服务器端加密。有关创建和测试有效示例的说明,请参阅测试 Amazon S3 Java 代码示例

import java.io.ByteArrayInputStream; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.internal.SSEResultBase; import com.amazonaws.services.s3.model.CopyObjectRequest; import com.amazonaws.services.s3.model.CopyObjectResult; import com.amazonaws.services.s3.model.ObjectMetadata; import com.amazonaws.services.s3.model.PutObjectRequest; import com.amazonaws.services.s3.model.PutObjectResult; public class SpecifyServerSideEncryption { public static void main(String[] args) { String clientRegion = "*** Client region ***"; String bucketName = "*** Bucket name ***"; String keyNameToEncrypt = "*** Key name for an object to upload and encrypt ***"; String keyNameToCopyAndEncrypt = "*** Key name for an unencrypted object to be encrypted by copying ***"; String copiedObjectKeyName = "*** Key name for the encrypted copy of the unencrypted object ***"; try { AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withRegion(clientRegion) .withCredentials(new ProfileCredentialsProvider()) .build(); // Upload an object and encrypt it with SSE. uploadObjectWithSSEEncryption(s3Client, bucketName, keyNameToEncrypt); // Upload a new unencrypted object, then change its encryption state // to encrypted by making a copy. changeSSEEncryptionStatusByCopying(s3Client, bucketName, keyNameToCopyAndEncrypt, copiedObjectKeyName); } catch(AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it, so it returned an error response. e.printStackTrace(); } catch(SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } private static void uploadObjectWithSSEEncryption(AmazonS3 s3Client, String bucketName, String keyName) { String objectContent = "Test object encrypted with SSE"; // Specify server-side encryption. ObjectMetadata objectMetadata = new ObjectMetadata(); objectMetadata.setContentLength(objectContent.length()); objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION); PutObjectRequest putRequest = new PutObjectRequest(bucketName, keyName, new ByteArrayInputStream(objectContent.getBytes()), objectMetadata); // Upload the object and check its encryption status. PutObjectResult putResult = s3Client.putObject(putRequest); System.out.println("Object \"" + keyName + "\" uploaded with SSE."); printEncryptionStatus(putResult); } private static void changeSSEEncryptionStatusByCopying(AmazonS3 s3Client, String bucketName, String sourceKey, String destKey) { // Upload a new, unencrypted object. PutObjectResult putResult = s3Client.putObject(bucketName, sourceKey, "Object example to encrypt by copying"); System.out.println("Unencrypted object \"" + sourceKey + "\" uploaded."); printEncryptionStatus(putResult); // Make a copy of the object and use server-side encryption when storing the copy. CopyObjectRequest request = new CopyObjectRequest(bucketName, sourceKey, bucketName, destKey); ObjectMetadata objectMetadata = new ObjectMetadata(); objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION); request.setNewObjectMetadata(objectMetadata); // Perform the copy operation and display the copy's encryption status. CopyObjectResult response = s3Client.copyObject(request); System.out.println("Object \"" + destKey + "\" uploaded with SSE."); printEncryptionStatus(response); // Delete the original, unencrypted object, leaving only the encrypted copy in Amazon S3. s3Client.deleteObject(bucketName, sourceKey); System.out.println("Unencrypted object \"" + sourceKey + "\" deleted."); } private static void printEncryptionStatus(SSEResultBase response) { String encryptionStatus = response.getSSEAlgorithm(); if(encryptionStatus == null) { encryptionStatus = "Not encrypted with SSE"; } System.out.println("Object encryption status is: " + encryptionStatus); } }