我一直在尝试使用KMS管理器来加密某些敏感信息并将其存储在S3存储桶中。我找到了许多有关如何执行此操作的示例,其中最重要的是AWS文档(https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/kms-keys-s3-encryption.html)中的一个
using System;
using System.Collections.Specialized;
using System.Collections.Generic;
using System.Configuration;
using System.IO;
using System.Linq;
using System.Net;
using System.Security.Cryptography;
using Amazon;
using Amazon.S3;
using Amazon.S3.Model;
using Amazon.S3.Encryption;
using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model;
namespace S3Sample1
{
class S3Sample
{
public static void Main(string[] args)
{
string kmsKeyID = null;
using (var kmsClient = new AmazonKeyManagementServiceClient())
{
var response = kmsClient.CreateKey(new CreateKeyRequest());
kmsKeyID = response.KeyMetadata.KeyId;
var keyMetadata = response.KeyMetadata; // An object that contains information about the CMK created by this operation.
var bucketName = "<s3bucket>";
var objectKey = "key";
var kmsEncryptionMaterials = new EncryptionMaterials(kmsKeyID);
// CryptoStorageMode.ObjectMetadata is required for KMS EncryptionMaterials
var config = new AmazonS3CryptoConfiguration()
{
StorageMode = CryptoStorageMode.ObjectMetadata
};
using (var s3Client = new AmazonS3EncryptionClient(config, kmsEncryptionMaterials))
{
// encrypt and put object
var putRequest = new PutObjectRequest
{
BucketName = bucketName,
Key = objectKey,
ContentBody = "object content"
};
s3Client.PutObject(putRequest);
// get object and decrypt
var getRequest = new GetObjectRequest
{
BucketName = bucketName,
Key = objectKey
};
using (var getResponse = s3Client.GetObject(getRequest))
using (var stream = getResponse.ResponseStream)
using (var reader = new StreamReader(stream))
{
Console.WriteLine(reader.ReadToEnd());
}
}
}
Console.WriteLine("Press any key to continue...");
Console.ReadKey();
}
}
}
即使我使用完整框架(要使用.NET Core中的上述示例,我也必须根据其文档使所有aws调用异步)版本,否则此代码将不起作用,因为
var kmsEncryptionMaterials = new EncryptionMaterials(kmsKeyID);
不接受字符串,而是AsymmetricKey或SymmetricKey对象。我绕过
var kmsEncryptionMaterials = new EncryptionMaterials(RSA.Create())
显然,这将是每个会话的密钥,因此我实际上找到了这篇文章https://aws.amazon.com/blogs/developer/client-side-data-encryption-with-aws-sdk-for-net-and-amazon-s3/,该文章基本上详细介绍了如何重用似乎确实过时的密钥(创建于2013年),并且我认为这是不合理的。最初是想将KMS用作aws生态系统中所有盒子的实际身份验证/授权提供者,然后访问包含密钥的S3存储桶。
我想念什么吗?为什么AWS示例中包含字符串?
我正在使用适用于AWS开发工具包.NET Core的最新软件包:
答案 0 :(得分:0)
在大约一天左右的时间后,我意识到这个问题与Amazon.S3.Encryption dll的多个目标有关。
我找到了一个github项目,该示例具有适用于.net核心(https://github.com/priyalwalpita/awssdk_dotnetcore)的示例,并且从中可以很明显地看出问题出在我的缓存dll中。
我还对csproj中的ItemGroups进行了三遍检查,并确保它们是正确的
<ItemGroup>
<PackageReference Include="AWSSDK.Core" Version="3.3.24.4" />
<PackageReference Include="AWSSDK.KeyManagementService" Version="3.3.6" />
<PackageReference Include="AWSSDK.S3" Version="3.3.20" />
<PackageReference Include="Microsoft.Extensions.Configuration" Version="2.1.1" />
<PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="2.1.1" />
<PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="2.1.1" />
</ItemGroup>
希望这将来可能对某人有所帮助