使用 Amazon SDK 加密 Amazon S3 对象入门
下面的代码示例显示如何开始 Amazon S3 对象的加密。
- .NET
-
- Amazon SDK for .NET
-
注意
在 GitHub 上查看更多内容。查找完整示例,学习如何在 Amazon 代码示例存储库
中进行设置和运行。 using System; using System.IO; using System.Security.Cryptography; using System.Threading.Tasks; using Amazon.S3; using Amazon.S3.Model; /// <summary> /// This example shows how to apply client encryption to an object in an /// Amazon Simple Storage Service (Amazon S3) bucket. /// </summary> public class SSEClientEncryption { public static async Task Main() { string bucketName = "doc-example-bucket"; string keyName = "exampleobject.txt"; string copyTargetKeyName = "examplecopy.txt"; // If the AWS Region defined for your default user is different // from the Region where your Amazon S3 bucket is located, // pass the Region name to the Amazon S3 client object's constructor. // For example: RegionEndpoint.USWest2. IAmazonS3 client = new AmazonS3Client(); try { // Create an encryption key. Aes aesEncryption = Aes.Create(); aesEncryption.KeySize = 256; aesEncryption.GenerateKey(); string base64Key = Convert.ToBase64String(aesEncryption.Key); // Upload the object. PutObjectRequest putObjectRequest = await UploadObjectAsync(client, bucketName, keyName, base64Key); // Download the object and verify that its contents match what you uploaded. await DownloadObjectAsync(client, bucketName, keyName, base64Key, putObjectRequest); // Get object metadata and verify that the object uses AES-256 encryption. await GetObjectMetadataAsync(client, bucketName, keyName, base64Key); // Copy both the source and target objects using server-side encryption with // an encryption key. await CopyObjectAsync(client, bucketName, keyName, copyTargetKeyName, aesEncryption, base64Key); } catch (AmazonS3Exception ex) { Console.WriteLine($"Error: {ex.Message}"); } } /// <summary> /// Uploads an object to an Amazon S3 bucket. /// </summary> /// <param name="client">The initialized Amazon S3 client object used to call /// PutObjectAsync.</param> /// <param name="bucketName">The name of the Amazon S3 bucket to which the /// object will be uploaded.</param> /// <param name="keyName">The name of the object to upload to the Amazon S3 /// bucket.</param> /// <param name="base64Key">The encryption key.</param> /// <returns>The PutObjectRequest object for use by DownloadObjectAsync.</returns> public static async Task<PutObjectRequest> UploadObjectAsync( IAmazonS3 client, string bucketName, string keyName, string base64Key) { PutObjectRequest putObjectRequest = new PutObjectRequest { BucketName = bucketName, Key = keyName, ContentBody = "sample text", ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256, ServerSideEncryptionCustomerProvidedKey = base64Key, }; PutObjectResponse putObjectResponse = await client.PutObjectAsync(putObjectRequest); return putObjectRequest; } /// <summary> /// Downloads an encrypted object from an Amazon S3 bucket. /// </summary> /// <param name="client">The initialized Amazon S3 client object used to call /// GetObjectAsync.</param> /// <param name="bucketName">The name of the Amazon S3 bucket where the object /// is located.</param> /// <param name="keyName">The name of the Amazon S3 object to download.</param> /// <param name="base64Key">The encryption key used to encrypt the /// object.</param> /// <param name="putObjectRequest">The PutObjectRequest used to upload /// the object.</param> public static async Task DownloadObjectAsync( IAmazonS3 client, string bucketName, string keyName, string base64Key, PutObjectRequest putObjectRequest) { GetObjectRequest getObjectRequest = new GetObjectRequest { BucketName = bucketName, Key = keyName, // Provide encryption information for the object stored in Amazon S3. ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256, ServerSideEncryptionCustomerProvidedKey = base64Key, }; using (GetObjectResponse getResponse = await client.GetObjectAsync(getObjectRequest)) using (StreamReader reader = new StreamReader(getResponse.ResponseStream)) { string content = reader.ReadToEnd(); if (string.Compare(putObjectRequest.ContentBody, content) == 0) { Console.WriteLine("Object content is same as we uploaded"); } else { Console.WriteLine("Error...Object content is not same."); } if (getResponse.ServerSideEncryptionCustomerMethod == ServerSideEncryptionCustomerMethod.AES256) { Console.WriteLine("Object encryption method is AES256, same as we set"); } else { Console.WriteLine("Error...Object encryption method is not the same as AES256 we set"); } } } /// <summary> /// Retrieves the metadata associated with an Amazon S3 object. /// </summary> /// <param name="client">The initialized Amazon S3 client object used /// to call GetObjectMetadataAsync.</param> /// <param name="bucketName">The name of the Amazon S3 bucket containing the /// object for which we want to retrieve metadata.</param> /// <param name="keyName">The name of the object for which we wish to /// retrieve the metadata.</param> /// <param name="base64Key">The encryption key associated with the /// object.</param> public static async Task GetObjectMetadataAsync( IAmazonS3 client, string bucketName, string keyName, string base64Key) { GetObjectMetadataRequest getObjectMetadataRequest = new GetObjectMetadataRequest { BucketName = bucketName, Key = keyName, // The object stored in Amazon S3 is encrypted, so provide the necessary encryption information. ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256, ServerSideEncryptionCustomerProvidedKey = base64Key, }; GetObjectMetadataResponse getObjectMetadataResponse = await client.GetObjectMetadataAsync(getObjectMetadataRequest); Console.WriteLine("The object metadata show encryption method used is: {0}", getObjectMetadataResponse.ServerSideEncryptionCustomerMethod); } /// <summary> /// Copies an encrypted object from one Amazon S3 bucket to another. /// </summary> /// <param name="client">The initialized Amazon S3 client object used to call /// CopyObjectAsync.</param> /// <param name="bucketName">The Amazon S3 bucket containing the object /// to copy.</param> /// <param name="keyName">The name of the object to copy.</param> /// <param name="copyTargetKeyName">The Amazon S3 bucket to which the object /// will be copied.</param> /// <param name="aesEncryption">The encryption type to use.</param> /// <param name="base64Key">The encryption key to use.</param> public static async Task CopyObjectAsync( IAmazonS3 client, string bucketName, string keyName, string copyTargetKeyName, Aes aesEncryption, string base64Key) { aesEncryption.GenerateKey(); string copyBase64Key = Convert.ToBase64String(aesEncryption.Key); CopyObjectRequest copyRequest = new CopyObjectRequest { SourceBucket = bucketName, SourceKey = keyName, DestinationBucket = bucketName, DestinationKey = copyTargetKeyName, // Information about the source object's encryption. CopySourceServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256, CopySourceServerSideEncryptionCustomerProvidedKey = base64Key, // Information about the target object's encryption. ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256, ServerSideEncryptionCustomerProvidedKey = copyBase64Key, }; await client.CopyObjectAsync(copyRequest); } }-
有关 API 详细信息,请参阅《Amazon SDK for .NET API 参考》中的以下主题。
-
有关 Amazon SDK 开发人员指南和代码示例的完整列表,请参阅 将此服务与 Amazon SDK 结合使用。本主题还包括有关入门的信息以及有关先前的 SDK 版本的详细信息。
开始使用桶和对象
标签入门