Missing the decode_encryption_key in the sample code (see below)

[imlocn]

REGION = 'us-west-2'
BUCKET = 'testing.stuff.bucket'
s3_key = 'testing.txt'

s3 = boto3.client('s3', region_name=REGION)
encoded_key = s3.get_object(Bucket=BUCKET, Key=s3_key + '.key')

plaintext_key = decode_encryption_key(encoded_key)

s3e = S3EncryptionClient(encryption_key=plaintext_key, region_name=REGION)
print s3e.get_object(Bucket=BUCKET, Key=s3_key)

'this is a test'

[boldfield]

There's several ways to approach getting the plaintext key. My assumption here was that it would be generated somewhere else making calls to the KMS service and exist in scope for this example. Upon reflection, that makes things very ambiguous. I'll update this to make things a little more clear, thanks for pointing this out.

[imlocn]

Can you provide an complete example of front-end encrypt/decrypt for upload/download files to S3?

[imlocn]

Do you have the code for the decode_encryption_key(encoded_key)?

[tolidano]

imlocn - just to add some clarity here - the point is that it is NOT the responsibility of boldfield (or this library) to encrypt or decrypt the content that goes into the s3_key + '.key' file.

If you want a fast and easy way of doing this with boto3 and KMS:

When you encrypt:

def get_info():
    kms = boto3.client('kms')
    data_key_req = kms.generate_data_key(KeyId=self.key_id, KeySpec='AES_128')
    # now, data_key_req has TWO keys:
    encrypt_your_data_with_this_key = data_key_req['Plaintext']
    upload_this_to_the_dot_key_file = data_key_req['CiphertextBlob']
    return {'p': encrypt_your_data_with_this_key, 'c': upload_this_to_the_dot_key_file}

Now when you decrypt, this is the bit you need:

def decode_encryption_key(encoded_key):
    kms = boto3.client('kms')
    decrypt_req = kms.decrypt(CiphertextBlob=encoded_key)
    return decrypt_req['Plaintext']