If client-side encryption is enabled, objects are locally encrypted before they are uploaded to Object Storage Service (OSS). Only the holder of the customer master key (CMK) can decrypt the objects. This way, data security is enhanced during transmission and storage.
Disclaimer
When you use client-side encryption, you must ensure the integrity and validity of the customer master key (CMK). If the CMK is incorrectly used or lost due to improper maintenance, you are responsible for all losses and consequences caused by decryption failures.
When you copy or migrate encrypted data, you must ensure the integrity and validity of the object metadata related to client-side encryption. If the encrypted metadata is incorrectly used or lost due to improper maintenance, you are responsible for all losses and consequences caused by decryption failures.
Scenarios
Highly sensitive data: You want to encrypt sensitive data, such as Personal Identifiable Information (PII), transaction records, and health data, before the data leaves your local environment. This ensures effective protection of your data even when the data is intercepted.
Regulatory compliance: Regulations, such as Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation (GDPR), require encryption of data stored on third-party platforms. Client-side encryption meets these requirements because CMKs are managed by users and not passed over networks or to cloud service providers.
Strong permission control: Your enterprise or developer may want to have full control over the encryption process, including the selection of encryption algorithms and the management and rotation of keys. In this case, you can use client-side encryption to ensure that only authorized users can decrypt and access data.
Secure data migration across regions: Client-side encryption helps keep data encrypted throughout migration. This enhances data security during transmission over the Internet.
Usage notes
In this topic, the public endpoint of the China (Hangzhou) region is used. If you want to access OSS from other Alibaba Cloud services in the same region as OSS, use an internal endpoint. For more information about OSS regions and endpoints, see Regions and endpoints.
In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient by using custom domain names or Security Token Service (STS), see Create an OSSClient instance.
Background information
In client-side encryption, a random data key is generated for each object to perform symmetric encryption on the object. The client uses a CMK to encrypt the random data key. The encrypted data key is uploaded as a part of the object metadata and stored in the OSS server. When an encrypted object is downloaded, the client uses the CMK to decrypt the random data key and then uses the data key to decrypt the object. To ensure data security, the CMK is used only on the client and is not transmitted over the network or stored in the server.
Client-side encryption supports multipart upload for objects larger than 5 GB in size. When you use multipart upload to upload an object, you must specify the total size of the object and the size of each part. The size of each part except for the last part must be the same and a multiple of 16 bytes.
After you upload objects encrypted on the client, object metadata related to client-side encryption is protected, and cannot be modified by calling the CopyObject operation.
Encryption methods
You can use two types of CMKs for client-side encryption:
KMS-managed CMKs
When you use a CMK managed by Key Management Service (KMS) for client-side encryption, you must send the CMK ID to OSS SDK for Python.
RSA-based CMKs managed by yourself
When you use a CMK managed by yourself for client-side encryption, you must send the public key and the private key of your CMK to OSS SDK for Python as parameters.
You can use the preceding encryption methods to prevent data leaks and protect your data on the client. Even if your data is leaked, the data cannot be decrypted by other users.
Object metadata related to client-side encryption
Parameter | Description | Required |
x-oss-meta-client-side-encryption-key | The encrypted data key. The encrypted data key is a string encrypted by using a CMK and encoded in Base64. | Yes |
x-oss-meta-client-side-encryption-start | The initial value generated randomly for data encryption. The initial value is a string encrypted by using a CMK and encoded in Base64. | Yes |
x-oss-meta-client-side-encryption-cek-alg | The algorithm that is used to encrypt data. | Yes |
x-oss-meta-client-side-encryption-wrap-alg | The algorithm that is used to encrypt the data key. | Yes |
x-oss-meta-client-side-encryption-matdesc | The description of the CMK in JSON format. Warning We recommend that you configure a description for each CMK and store the mapping relationship between the CMK and its description. A CMK without a matching description cannot be replaced. | No |
x-oss-meta-client-side-encryption-unencrypted-content-length | The length of data before encryption. If content-length is not specified, this parameter is not generated. | No |
x-oss-meta-client-side-encryption-unencrypted-content-md5 | The MD5 hash of the data before encryption. If Content-MD5 is not specified, this parameter is not generated. | No |
x-oss-meta-client-side-encryption-data-size | The total size of the object to encrypt for multipart upload when init_multipart is called. | Yes (for multipart upload) |
x-oss-meta-client-side-encryption-part-size | The size of each part to encrypt for multipart upload when init_multipart is called. Note The size of each part must be a multiple of 16. | Yes (for multipart upload) |
The following examples show how to use RSA-based CMKs to encrypt or decrypt objects in different scenarios.
Encrypt an object from memory
The following sample code provides an example on how to use an RSA-based CMK to encrypt an object stored in memory and upload the object to OSS:
#include <alibabacloud/oss/OssEncryptionClient.h>
using namespace AlibabaCloud::OSS;
int main(void)
{
/* Initialize information about the account that is used to access OSS. */
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
std::string Endpoint = "yourEndpoint";
/* Specify the name of the bucket. Example: examplebucket. */
std::string BucketName = "examplebucket";
/* Specify the full path of the object. Do not include the bucket name in the full path. Example: exampledir/exampleobject.txt. */
std::string ObjectName = "exampledir/exampleobject.txt";
/* Specify the CMK and the description. */
std::string RSAPublicKey = "your rsa public key";
std::string RSAPrivateKey = "your rsa private key";
std::map<std::string, std::string> desc;
desc["comment"] = "your comment";
/* Initialize resources, such as network resources. */
InitializeSdk();
ClientConfiguration conf;
/* Obtain access credential from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
OssClient client(Endpoint, credentialsProvider, conf);
CryptoConfiguration cryptoConf;
auto materials = std::make_shared<SimpleRSAEncryptionMaterials>(RSAPublicKey, RSAPrivateKey, desc);
OssEncryptionClient client(Endpoint, credentialsProvider, conf, materials, cryptoConf);
std::shared_ptr<std::iostream> content = std::make_shared<std::stringstream>();
*content << "Thank you for using Aliyun Object Storage Service!";
PutObjectRequest request(BucketName, ObjectName, content);
/* Upload the object. */
auto outcome = client.PutObject(request);
if (!outcome.isSuccess()) {
/* Handle exceptions. */
std::cout << "PutObject fail" <<
",code:" << outcome.error().Code() <<
",message:" << outcome.error().Message() <<
",requestId:" << outcome.error().RequestId() << std::endl;
return -1;
}
/* Release resources, such as network resources. */
ShutdownSdk();
return 0;
}Encrypt a local file to OSS
The following sample code provides an example on how to use an RSA-based CMK to encrypt a local file to OSS:
#include <alibabacloud/oss/OssEncryptionClient.h>
using namespace AlibabaCloud::OSS;
int main(void)
{
/* Initialize information about the account that is used to access OSS. */
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
std::string Endpoint = "yourEndpoint";
/* Specify the name of the bucket. Example: examplebucket. */
std::string BucketName = "examplebucket";
/* Specify the full path of the object. Do not include the bucket name in the full path. Example: exampledir/exampleobject.txt. */
std::string ObjectName = "exampledir/exampleobject.txt";
/* Specify the CMK and the description. */
std::string RSAPublicKey = "your rsa public key";
std::string RSAPrivateKey = "your rsa private key";
std::map<std::string, std::string> desc;
desc["comment"] = "your comment";
/* Initialize resources, such as network resources. */
InitializeSdk();
ClientConfiguration conf;
/* Obtain access credential from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
OssClient client(Endpoint, credentialsProvider, conf);
CryptoConfiguration cryptoConf;
auto materials = std::make_shared<SimpleRSAEncryptionMaterials>(RSAPublicKey, RSAPrivateKey, desc);
OssEncryptionClient client(Endpoint, credentialsProvider, conf, materials, cryptoConf);
/* Upload the object. */
auto outcome = client.PutObject(BucketName, ObjectName, "yourLocalFilename");
if (!outcome.isSuccess()) {
/* Handle exceptions. */
std::cout << "PutObject fail" <<
",code:" << outcome.error().Code() <<
",message:" << outcome.error().Message() <<
",requestId:" << outcome.error().RequestId() << std::endl;
return -1;
}
/* Release resources, such as network resources. */
ShutdownSdk();
return 0;
}Encrypt an object by using resumable upload
The following sample code provides an example on how to use an RSA-based CMK to encrypt an object when you upload the object by using resumable upload:
#include <alibabacloud/oss/OssEncryptionClient.h>
using namespace AlibabaCloud::OSS;
int main(void)
{
/* Initialize information about the account that is used to access OSS. */
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
std::string Endpoint = "yourEndpoint";
/* Specify the name of the bucket. Example: examplebucket. */
std::string BucketName = "examplebucket";
/* Specify the full path of the object. Do not include the bucket name in the full path. Example: exampledir/exampleobject.txt. */
std::string ObjectName = "exampledir/exampleobject.txt";
/* Specify the full path of the local file. Example: D:\\localpath\\examplefile.txt. By default, if you do not specify the full path of a local file, the local file is uploaded from the path of the project to which the sample program belongs. */
std::string UploadFilePath = "D:\\localpath\\examplefile.txt";
/* Specify the checkpoint file that records the results of the multipart upload task. This file stores information about the upload progress. If a part fails to be uploaded, the task can be resumed from the position recorded in the checkpoint file. After the local file is uploaded, the checkpoint file is deleted. */
/* By default, if you do not specify this parameter, the checkpoint file shares the same directory as the local file that you want to upload. */
std::string CheckpointFilePath = "yourCheckpointFilepath"
/* Specify the CMK and the description. */
std::string RSAPublicKey = "your rsa public key";
std::string RSAPrivateKey = "your rsa private key";
std::map<std::string, std::string> desc;
desc["comment"] = "your comment";
/* Initialize resources, such as network resources. */
InitializeSdk();
ClientConfiguration conf;
/* Obtain access credential from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
OssClient client(Endpoint, credentialsProvider, conf);
CryptoConfiguration cryptoConf;
auto materials = std::make_shared<SimpleRSAEncryptionMaterials>(RSAPublicKey, RSAPrivateKey, desc);
OssEncryptionClient client(Endpoint, credentialsProvider, conf, materials, cryptoConf);
/* Start the resumable upload. */
UploadObjectRequest request(BucketName, ObjectName, UploadFilePath, CheckpointFilePath);
auto outcome = client.ResumableUploadObject(request);
if (!outcome.isSuccess()) {
/* Handle exceptions. */
std::cout << "ResumableUploadObject fail" <<
",code:" << outcome.error().Code() <<
",message:" << outcome.error().Message() <<
",requestId:" << outcome.error().RequestId() << std::endl;
return -1;
}
/* Release resources, such as network resources. */
ShutdownSdk();
return 0;
}Encrypt an object by using multipart upload
The following sample code provides an example on how to use an RSA-based CMK to encrypt an object when you upload the object by using multipart upload:
#include <alibabacloud/oss/OssEncryptionClient.h>
#include <fstream>
using namespace AlibabaCloud::OSS;
static int64_t getFileSize(const std::string& file)
{
std::fstream f(file, std::ios::in | std::ios::binary);
f.seekg(0, f.end);
int64_t size = f.tellg();
f.close();
return size;
}
int main(void)
{
/* Initialize information about the account that is used to access OSS. */
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
std::string Endpoint = "yourEndpoint";
/* Specify the name of the bucket. Example: examplebucket. */
std::string BucketName = "examplebucket";
/* Specify the full path of the object. Do not include the bucket name in the full path. Example: exampledir/exampleobject.txt. */
std::string ObjectName = "exampledir/exampleobject.txt";
std::string fileToUpload = "yourLocalFilename";
/* Specify the CMK and the description. */
std::string RSAPublicKey = "your rsa public key";
std::string RSAPrivateKey = "your rsa private key";
std::map<std::string, std::string> desc;
desc["comment"] = "your comment";
/* Initialize resources, such as network resources. */
InitializeSdk();
ClientConfiguration conf;
/* Obtain access credential from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
OssClient client(Endpoint, credentialsProvider, conf);
CryptoConfiguration cryptoConf;
auto materials = std::make_shared<SimpleRSAEncryptionMaterials>(RSAPublicKey, RSAPrivateKey, desc);
OssEncryptionClient client(Endpoint, credentialsProvider, conf, materials, cryptoConf);
/* Initialize the context for encryption in multipart upload. */
/* The part size must be a multiple of 16. */
int64_t partSize = 100 * 1024;
auto fileSize = getFileSize(fileToUpload);
MultipartUploadCryptoContext cryptoCtx;
cryptoCtx.setPartSize(partSize);
cryptoCtx.setDataSize(fileSize);
/* Initiate a multipart upload task. */
InitiateMultipartUploadRequest initUploadRequest(BucketName, ObjectName);
auto uploadIdResult = client.InitiateMultipartUpload(initUploadRequest, cryptoCtx);
auto uploadId = uploadIdResult.result().UploadId();
PartList partETagList;
int partCount = static_cast<int> (fileSize / partSize);
/* Calculate the number of parts. */
if (fileSize % partSize != 0) {
partCount++;
}
/* Upload each part. */
for (int i = 1; i <= partCount; i++) {
auto skipBytes = partSize * (i - 1);
auto size = (partSize < fileSize - skipBytes) ? partSize : (fileSize - skipBytes);
std::shared_ptr<std::iostream> content = std::make_shared<std::fstream>(fileToUpload, std::ios::in|std::ios::binary);
content->seekg(skipBytes, std::ios::beg);
UploadPartRequest uploadPartRequest(BucketName, ObjectName, content);
uploadPartRequest.setContentLength(size);
uploadPartRequest.setUploadId(uploadId);
uploadPartRequest.setPartNumber(i);
auto uploadPartOutcome = client.UploadPart(uploadPartRequest, cryptoCtx);
if (uploadPartOutcome.isSuccess()) {
Part part(i, uploadPartOutcome.result().ETag());
partETagList.push_back(part);
}
else {
std::cout << "uploadPart fail" <<
",code:" << uploadPartOutcome.error().Code() <<
",message:" << uploadPartOutcome.error().Message() <<
",requestId:" << uploadPartOutcome.error().RequestId() << std::endl;
}
}
/* Complete the multipart upload task. */
CompleteMultipartUploadRequest request(BucketName, ObjectName);
request.setUploadId(uploadId);
request.setPartList(partETagList);
auto outcome = client.CompleteMultipartUpload(request, cryptoCtx);
if (!outcome.isSuccess()) {
/* Handle exceptions. */
std::cout << "CompleteMultipartUpload fail" <<
",code:" << outcome.error().Code() <<
",message:" << outcome.error().Message() <<
",requestId:" << outcome.error().RequestId() << std::endl;
return -1;
}
/* Release resources, such as network resources. */
ShutdownSdk();
return 0;
}Decrypt an object to a local path
The following sample code provides an example on how to use an RSA-based CMK to decrypt an object when you download the object to a local path:
#include <alibabacloud/oss/OssEncryptionClient.h>
#include <fstream>
using namespace AlibabaCloud::OSS;
int main(void)
{
/* Initialize information about the account that is used to access OSS. */
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
std::string Endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
/* Specify the name of the bucket. Example: examplebucket. */
std::string BucketName = "examplebucket";
/* Specify the full path of the object. Do not include the bucket name in the full path. Example: exampledir/exampleobject.txt. */
std::string ObjectName = "exampledir/exampleobject.txt";
/* Download the object to D:\\localpath as a local file named examplefile.txt. If a file that has the same name already exists in the specified path, the downloaded object overwrites the file. Otherwise, the downloaded object is saved in the path. */
/* If you do not specify the path of the local file, the downloaded object is saved to the path of the project to which the sample program belongs. */
std::string FileNametoSave = "D:\\localpath\\examplefile.txt";
/* Specify the CMK and the description. */
std::string RSAPublicKey = "your rsa public key";
std::string RSAPrivateKey = "your rsa private key";
std::map<std::string, std::string> desc;
desc["comment"] = "your comment";
/* Initialize resources, such as network resources. */
InitializeSdk();
ClientConfiguration conf;
/* Obtain access credential from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
OssClient client(Endpoint, credentialsProvider, conf);
CryptoConfiguration cryptoConf;
auto materials = std::make_shared<SimpleRSAEncryptionMaterials>(RSAPublicKey, RSAPrivateKey, desc);
/* To decrypt content that is encrypted by using other CMKs, you must provide the information about the CMKs. */
//std::string RSAPublicKey2 = "your rsa public key";
//std::string RSAPrivateKey2 = "your rsa private key";
//std::map<std::string, std::string> desc2;
//desc2["comment"] = "your comment";
//materials.addEncryptionMaterial(RSAPublicKey2, RSAPrivateKey2, desc2);
OssEncryptionClient client(Endpoint, credentialsProvider, conf, materials, cryptoConf);
/* Download the object and store the downloaded object as a local file. */
GetObjectRequest request(BucketName, ObjectName);
request.setResponseStreamFactory([=]() {return std::make_shared<std::fstream>(FileNametoSave, std::ios_base::out | std::ios_base::in | std::ios_base::trunc| std::ios_base::binary); });
auto outcome = client.GetObject(request);
if (outcome.isSuccess()) {
std::cout << "GetObjectToFile success" << outcome.result().Metadata().ContentLength() << std::endl;
}
else {
/* Handle exceptions. */
std::cout << "GetObjectToFile fail" <<
",code:" << outcome.error().Code() <<
",message:" << outcome.error().Message() <<
",requestId:" << outcome.error().RequestId() << std::endl;
return -1;
}
/* Release resources, such as network resources. */
ShutdownSdk();
return 0;
}Decrypt an object to local memory
The following sample code provides an example on how to use an RSA-based CMK to decrypt an object to local memory:
#include <alibabacloud/oss/OssEncryptionClient.h>
using namespace AlibabaCloud::OSS;
int main(void)
{
/* Initialize information about the account that is used to access OSS. */
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
std::string Endpoint = "yourEndpoint";
/* Specify the name of the bucket. Example: examplebucket. */
std::string BucketName = "examplebucket";
/* Specify the full path of the object. Do not include the bucket name in the full path. Example: desrfolder/exampleobject.txt. */
std::string ObjectName = "yourObjectName";
std::string RSAPublicKey = "your rsa public key";
std::string RSAPrivateKey = "your rsa private key";
/* Specify the CMK and the description. */
std::string RSAPublicKey = "your rsa public key";
std::string RSAPrivateKey = "your rsa private key";
std::map<std::string, std::string> desc;
desc["comment"] = "your comment";
/* Initialize resources, such as network resources. */
InitializeSdk();
ClientConfiguration conf;
/* Obtain access credential from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
OssClient client(Endpoint, credentialsProvider, conf);
CryptoConfiguration cryptoConf;
auto materials = std::make_shared<SimpleRSAEncryptionMaterials>(RSAPublicKey, RSAPrivateKey, desc);
/* To decrypt content that is encrypted by using other CMKs, you must provide the information about the CMKs. */
//std::string RSAPublicKey2 = "your rsa public key";
//std::string RSAPrivateKey2 = "your rsa private key";
//std::map<std::string, std::string> desc2;
//desc2["comment"] = "your comment";
//materials.addEncryptionMaterial(RSAPublicKey2, RSAPrivateKey2, desc2);
OssEncryptionClient client(Endpoint, credentialsProvider, conf, materials, cryptoConf);
/* Download the object to local memory. */
GetObjectRequest request(BucketName, ObjectName);
auto outcome = client.GetObject(request);
if (outcome.isSuccess()) {
std::cout << "getObjectToBuffer" << " success, Content-Length:" << outcome.result().Metadata().ContentLength() << std::endl;
/* Display the downloaded content. */
std::string content;
*(outcome.result().Content()) >> content;
std::cout << "getObjectToBuffer" << "content:" << content << std::endl;
}
else {
/* Handle exceptions. */
std::cout << "getObjectToBuffer fail" <<
",code:" << outcome.error().Code() <<
",message:" << outcome.error().Message() <<
",requestId:" << outcome.error().RequestId() << std::endl;
return -1;
}
/* Release resources, such as network resources. */
ShutdownSdk();
return 0;
}Decrypt an object by using range download
The following sample code provides an example on how to use an RSA-based CMK to decrypt an object by using range download:
#include <alibabacloud/oss/OssEncryptionClient.h>
using namespace AlibabaCloud::OSS;
int main(void)
{
/* Initialize information about the account that is used to access OSS. */
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
std::string Endpoint = "yourEndpoint";
/* Specify the name of the bucket. Example: examplebucket. */
std::string BucketName = "examplebucket";
/* Specify the full path of the object. Do not include the bucket name in the full path. Example: desrfolder/exampleobject.txt. */
std::string ObjectName = "yourObjectName";
/* Specify the CMK and the description. */
std::string RSAPublicKey = "your rsa public key";
std::string RSAPrivateKey = "your rsa private key";
std::map<std::string, std::string> desc;
desc["comment"] = "your comment";
/* Initialize resources, such as network resources. */
InitializeSdk();
ClientConfiguration conf;
/* Obtain access credential from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
OssClient client(Endpoint, credentialsProvider, conf);
CryptoConfiguration cryptoConf;
auto materials = std::make_shared<SimpleRSAEncryptionMaterials>(RSAPublicKey, RSAPrivateKey, desc);
/* To decrypt content that is encrypted by using other CMKs, you must provide the information about the CMKs. */
//std::string RSAPublicKey2 = "your rsa public key";
//std::string RSAPrivateKey2 = "your rsa private key";
//std::map<std::string, std::string> desc2;
//desc2["comment"] = "your comment";
//materials.addEncryptionMaterial(RSAPublicKey2, RSAPrivateKey2, desc2);
OssEncryptionClient client(Endpoint, credentialsProvider, conf, materials, cryptoConf);
/* Specify the download range. */
GetObjectRequest request(BucketName, ObjectName);
request.setRange(0, 1);
auto outcome = client.GetObject(request);
if (!outcome.isSuccess ()) {
/* Handle exceptions. */
std::cout << "getObject fail" <<
",code:" << outcome.error().Code() <<
",message:" << outcome.error().Message() <<
",requestId:" << outcome.error().RequestId() << std::endl;
return -1;
}
/* Release resources, such as network resources. */
ShutdownSdk();
return 0;
}Decrypt an object by using resumable download
The following sample code provides an example on how to use an RSA-based CMK to decrypt an object when you download the object by using resumable download:
#include <alibabacloud/oss/OssEncryptionClient.h>
using namespace AlibabaCloud::OSS;
int main(void)
{
/* Initialize the information about the account that is used to access OSS.
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
std::string Endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
/* Specify the name of the bucket. Example: examplebucket. */
std::string BucketName = "examplebucket";
/* Specify the full path of the object. Do not include the bucket name in the full path. Example: exampledir/exampleobject.txt. */
std::string ObjectName = "exampledir/exampleobject.txt";
/* Download the object to the local path D:\\localpath and save the downloaded object as a local file named examplefile.txt. If a file that has the same name already exists in the specified path, the downloaded object overwrites the file. Otherwise, the downloaded object is saved in the path. */
/* If you do not specify the path of the local file, the downloaded object is saved to the path of the project to which the sample program belongs. */
std::string DownloadFilePath = "D:\\localpath\\examplefile.txt";
/* Specify the full path of the checkpoint file. Example: D:\\localpath\\examplefile.txt.dcp. */
/* The checkpoint file is generated when the download is interrupted. If you want to resume the download task, you must specify the full path of the checkpoint file. After the object is downloaded, the checkpoint file is deleted. */
std::string CheckpointFilePath = "D:\\localpath\\examplefile.txt.dcp";
/* Specify the CMK and the description. */
std::string RSAPublicKey = "your rsa public key";
std::string RSAPrivateKey = "your rsa private key";
std::map<std::string, std::string> desc;
desc["comment"] = "your comment";
/* Initialize resources, such as network resources. */
InitializeSdk();
ClientConfiguration conf;
/* Obtain access credential from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
OssClient client(Endpoint, credentialsProvider, conf);
CryptoConfiguration cryptoConf;
auto materials = std::make_shared<SimpleRSAEncryptionMaterials>(RSAPublicKey, RSAPrivateKey, desc);
/* To decrypt content that is encrypted by using other CMKs, you must provide the information about the CMKs. */
//std::string RSAPublicKey2 = "your rsa public key";
//std::string RSAPrivateKey2 = "your rsa private key";
//std::map<std::string, std::string> desc2;
//desc2["comment"] = "your comment";
//materials.addEncryptionMaterial(RSAPublicKey2, RSAPrivateKey2, desc2);
OssEncryptionClient client(Endpoint, credentialsProvider, conf, materials, cryptoConf);
/* Start resumable download. */
DownloadObjectRequest request(BucketName, ObjectName, DownloadFilePath, CheckpointFilePath);
auto outcome = client.ResumableDownloadObject(request);
if (!outcome.isSuccess()) {
/* Handle exceptions. */
std::cout << "ResumableDownloadObject fail" <<
",code:" << outcome.error().Code() <<
",message:" << outcome.error().Message() <<
",requestId:" << outcome.error().RequestId() << std::endl;
return -1;
}
/* Release resources, such as network resources. */
ShutdownSdk();
return 0;
}