备案 控制台 登录 注册
文档中心 > 客户端数据加密
客户端数据加密

最近更新时间:2022-07-25

客户端加密是指将数据发送到UOS之前在用户本地进行加密。

免责声明

使用客户端加密功能时,您需要对主密钥的完整性和正确性负责。因您维护不当导致主密钥用错或丢失,从而导致加密数据无法解密所引起的一切损失和后果均由您自行承担。

在对加密数据进行复制或者迁移时,您需要对加密元信息的完整性和正确性负责。因您维护不当导致加密元信息出错或丢失,从而导致加密数据无法解密所引起的一切损失和后果均由您自行承担。

加密方式

目前仅支持用户自主管理的主密钥。

创建加密客户端

创建AES256加密客户端

public static AmazonS3Encryption getEncryptionS3ClientAES256(String accessKey, String secretKey, String endPoint) throws NoSuchAlgorithmException {

       System.setProperty(SDKGlobalConfiguration.DISABLE_CERT_CHECKING_SYSTEM_PROPERTY, "true");

       // 创建密钥,请妥善保管
       KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
       keyGenerator.init(256);
       SecretKey aes256Key = keyGenerator.generateKey();

       ClientConfiguration clientConfiguration = new ClientConfiguration();
       clientConfiguration.setProtocol(Protocol.HTTPS);
       BasicAWSCredentials cred = new BasicAWSCredentials(accessKey, secretKey);

       AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard()
              .withCredentials(new AWSStaticCredentialsProvider(cred))
              .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(endPoint))
              .withClientConfiguration(clientConfiguration)
              .withCryptoConfiguration(new CryptoConfiguration().withCryptoMode(CryptoMode.EncryptionOnly))
              .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(aes256Key)))
              .build();

       return s3Encryption;
  }


创建RSA加密客户端

public static AmazonS3Encryption getEncryptionAmazonS3ClientRSA(String accessKey, String secretKey, String endPoint) throws NoSuchAlgorithmException {

       System.setProperty(SDKGlobalConfiguration.DISABLE_CERT_CHECKING_SYSTEM_PROPERTY, "true");

        // 创建密钥,请妥善保管
       KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA");
       keyGenerator.initialize(1024, new SecureRandom());
       KeyPair myKeyPair = keyGenerator.generateKeyPair();

       ClientConfiguration clientConfiguration = new ClientConfiguration();
       clientConfiguration.setProtocol(Protocol.HTTPS);
       BasicAWSCredentials cred = new BasicAWSCredentials(accessKey, secretKey);

       AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard()
              .withCredentials(new AWSStaticCredentialsProvider(cred))
              .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(endPoint))
              .withClientConfiguration(clientConfiguration)
              .withCryptoConfiguration(new CryptoConfiguration().withCryptoMode(CryptoMode.EncryptionOnly))
              .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(myKeyPair)))
              .build();

       return s3Encryption;
  }

普通上传和下载文件示例

以下提供如何使用AES256进行普通上传、下载的示例。

import com.amazonaws.AmazonServiceException;

import com.amazonaws.ClientConfiguration;
import com.amazonaws.Protocol;
import com.amazonaws.SDKGlobalConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3Encryption;
import com.amazonaws.services.s3.AmazonS3EncryptionClientBuilder;
import com.amazonaws.services.s3.model.*;

import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;

public class OssClientEncryptionSample {
   private final static String ACCESS_KEY = "yourAccessKeyId";
   private final static String SECRET_KEY = "yourAccessKeySecret";
   // endpoint 以华北2-北京节点为例
   private final static String END_POINT = "oss-cn-north-2.unicloudsrv.com";
   static AmazonS3 s3;

   static {
       try {
           s3 = getEncryptionAmazonS3ClientRSA(ACCESS_KEY, SECRET_KEY, END_POINT);
      } catch (NoSuchAlgorithmException e) {
           e.printStackTrace();
      }
  }

   static String bucketName = "yourBucketName";

   /**
    * 初始化S3加密客户端实例 - AES256
    */
   public static AmazonS3Encryption getEncryptionS3ClientAES256(String accessKey, String secretKey, String endPoint) throws NoSuchAlgorithmException {
       System.setProperty(SDKGlobalConfiguration.DISABLE_CERT_CHECKING_SYSTEM_PROPERTY, "true");

       KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
       keyGenerator.init(256);
       SecretKey aes256Key = keyGenerator.generateKey();

       ClientConfiguration clientConfiguration = new ClientConfiguration();
       clientConfiguration.setProtocol(Protocol.HTTPS);
       BasicAWSCredentials cred = new BasicAWSCredentials(accessKey, secretKey);

       AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuilder.standard()
              .withCredentials(new AWSStaticCredentialsProvider(cred))
              .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(endPoint))
              .withClientConfiguration(clientConfiguration)
              .withCryptoConfiguration(new CryptoConfiguration().withCryptoMode(CryptoMode.EncryptionOnly))
              .withEncryptionMaterials(new StaticEncryptionMaterialsProvider(new EncryptionMaterials(aes256Key)))
              .build();

       return s3Encryption;
  }


   public static void main(String[] args) throws Throwable {
       try {
           String s3ObjectKey = "EncryptedContent.txt";
           String s3ObjectContent = "This is the 1st content to encrypt";
           s3.putObject(bucketName, s3ObjectKey, s3ObjectContent);
           System.out.println(s3.getObjectAsString(bucketName, s3ObjectKey));
      } catch (AmazonServiceException e) {
           System.err.println(e.getMessage());
           System.exit(1);
      }
  }
}