最近更新时间:2025-01-03 17:16:18
KS3目前支持两种方式管理加密密钥:
使用KS3托管密钥的服务器端加密 (SSE-S3) :由KS3服务端自动生成秘钥,KS3服务端加密使用256位高级加密标准 (AES-256)来加密您的数据。
使用客户提供密钥的服务器端加密 (SSE-C) :客户自己提供和管理秘钥的方式,上传文件时客户需提供秘钥,操作或下载文件时客户也需提供正确秘钥才能访问成功。
本文主要介绍客户提供密钥的服务器端加密 (SSE-C) 使用示例。
请妥善保管自己的秘钥,如果密钥丢失,将无法解密数据。
上传文件及获取文件时均需设置加密密钥,密钥长度要求为 16/24/32。
public void serverSideEncryptionWithCustomerKeySample() throws IOException {
// 初始化 ks3 client,详见"初始化"文档
Ks3Client ks3Client = initClient();
String bucketName = "<your-bucket>";
String objectKey = "sse-test-object-with-customer-key";
// 初始化密钥,密钥长度为 16/24/32
String sseCustomerKeyStr = "<your-encryption-key>";
SSECustomerKey sseCustomerKey = new SSECustomerKey(sseCustomerKeyStr.getBytes(StandardCharsets.UTF_8));
byte[] bytes = "this is a test file".getBytes(StandardCharsets.UTF_8);
PutObjectRequest putObjectRequest = new PutObjectRequest(bucketName, objectKey, new ByteArrayInputStream(bytes));
// 设置加密密钥
putObjectRequest.setSseCustomerKey(sseCustomerKey);
PutObjectResult putObjectResult = ks3Client.putObject(putObjectRequest);
System.out.println(putObjectResult);
System.out.println("customer algorithm: " + putObjectResult.getSseCustomerAlgorithm());
System.out.println("customer key md5: " + putObjectResult.getSseCustomerKeyMD5());
// head object
HeadObjectRequest headObjectRequest = new HeadObjectRequest(bucketName, objectKey);
// 设置加密密钥
headObjectRequest.setSseCustomerKey(sseCustomerKey);
HeadObjectResult headObjectResult = ks3Client.headObject(headObjectRequest);
System.out.println("customer algorithm: " + headObjectResult.getObjectMetadata().getSseCustomerAlgorithm());
System.out.println("customer key md5: " + headObjectResult.getObjectMetadata().getSseCustomerKeyMD5());
// get object
GetObjectRequest getObjectRequest = new GetObjectRequest(bucketName, objectKey);
// 设置加密密钥
getObjectRequest.setSseCustomerKey(sseCustomerKey);
GetObjectResult object = ks3Client.getObject(getObjectRequest);
System.out.println(object);
AutoAbortInputStream objectContent = object.getObject().getObjectContent();
String content = IOUtils.toString(objectContent, StandardCharsets.UTF_8);
System.out.println("object content: " + content);
System.out.println("customer algorithm: " + object.getObject().getObjectMetadata().getSseCustomerAlgorithm());
System.out.println("customer key md5: " + object.getObject().getObjectMetadata().getSseCustomerKeyMD5());
objectContent.close();
// init multipart upload
String objectKey2 = "sse-test-object-2";
InitiateMultipartUploadRequest initiateMultipartUploadRequest = new InitiateMultipartUploadRequest(bucketName, objectKey2);
// 设置加密密钥
initiateMultipartUploadRequest.setSseCustomerKey(sseCustomerKey);
InitiateMultipartUploadResult initiateMultipartUploadResult = ks3Client.initiateMultipartUpload(initiateMultipartUploadRequest);
String uploadId = initiateMultipartUploadResult.getUploadId();
System.out.println("upload id: " + uploadId);
System.out.println("customer algorithm: " + initiateMultipartUploadResult.getSseCustomerAlgorithm());
System.out.println("customer key md5: " + initiateMultipartUploadResult.getSseCustomerKeyMD5());
// upload part
UploadPartRequest uploadPartRequest = new UploadPartRequest(bucketName, objectKey2, uploadId, 1, new ByteArrayInputStream(bytes), bytes.length);
// 设置加密密钥
uploadPartRequest.setSseCustomerKey(sseCustomerKey);
PartETag partETag = ks3Client.uploadPart(uploadPartRequest);
System.out.println("customer algorithm: " + partETag.getSseCustomerAlgorithm());
System.out.println("customer key md5: " + partETag.getSseCustomerKeyMD5());
// complete multipart upload
CompleteMultipartUploadRequest completeMultipartUploadRequest = new CompleteMultipartUploadRequest(bucketName, objectKey2, uploadId, Arrays.asList(partETag));
CompleteMultipartUploadResult completeMultipartUploadResult = ks3Client.completeMultipartUpload(completeMultipartUploadRequest);
System.out.println("customer algorithm: " + completeMultipartUploadResult.getSseCustomerAlgorithm());
System.out.println("customer key md5: " + completeMultipartUploadResult.getSseCustomerKeyMD5());
// copy object
CopyObjectRequest copyObjectRequest = new CopyObjectRequest(bucketName, objectKey2 + "-copy", bucketName, objectKey2);
// 设置源文件的加密密钥
copyObjectRequest.setSourceSSECustomerKey(sseCustomerKey);
// 设置目标文件的加密密钥
copyObjectRequest.setDestinationSSECustomerKey(sseCustomerKey);
CopyResult copyResult = ks3Client.copyObject(copyObjectRequest);
System.out.println("copy result: " + copyResult);
}
纯净模式