Client-side encryption using OSS SDK for Go 2.0
Client-side encryption encrypts objects locally before they are uploaded to Object Storage Service (OSS). Only the holder of the customer master key (CMK) can decrypt the objects, which enhances data security during transmission and storage.
Usage notes
-
The sample code in this topic uses the region ID
cn-hangzhouof the China (Hangzhou) region and the public endpoint by default. To access resources from other Alibaba Cloud services in the same region as the bucket, use an internal endpoint. For more information about OSS regions and endpoints, see Regions and Endpoints. -
In this topic, access credentials are obtained from environment variables. For more information, see Configure access credentials (Go SDK V1).
-
When you use client-side encryption, you must ensure the integrity and validity of the CMK.
-
When you copy or migrate encrypted data, you are responsible for the integrity and validity of object metadata.
Syntax
OSS SDK for Go V2 supports two types of CMKs for client-side encryption.
-
RSA-based CMKs managed by yourself
The SDK provides the default Rivest-Shamir-Adleman (RSA) implementation. If you provide a CMK, you must pass the public key and private key to the SDK.
-
Custom CMKs
You can implement custom CMK-based encryption and decryption. This topic provides examples by using Key Management Service (KMS) V3.0.
These encryption methods protect your data on the client side. Even if your data is leaked, it cannot be decrypted by others.
For more information about client-side encryption, see Client-side encryption.
To use client-side encryption, create an EncryptionClient instance and call its API operations. Objects are automatically encrypted and decrypted as part of each request.
type EncryptionClient struct {
...
}
func NewEncryptionClient(c *Client, masterCipher crypto.MasterCipher, optFns ...func(*EncryptionClientOptions)) (eclient *EncryptionClient, err error)
Request parameters
|
Parameter |
Type |
Description |
|
c |
*Client |
An instance of a non-encryption client. |
|
masterCipher |
crypto.MasterCipher |
The CMK instance for encrypting and decrypting data keys. |
|
optFns |
...func(*EncryptionClientOptions) |
The configuration options of the client for client-side encryption. |
EncryptionClientOptions
|
Parameter |
Type |
Description |
|
MasterCiphers |
[]crypto.MasterCipher |
The CMK instances used to decrypt data keys. |
Response parameters
|
Parameter |
Type |
Description |
|
eclient |
*EncryptionClient |
The client instance for client-side encryption. Returned when err is nil. |
|
err |
error |
The error that occurred during client creation. A nil value indicates success. |
Operations supported by EncryptionClient
|
Basic operation |
Description |
|
GetObjectMeta |
Queries standard HTTP metadata headers of the object. |
|
HeadObject |
Queries all metadata information of the object. |
|
GetObject |
Downloads and decrypts the object. |
|
PutObject |
Uploads and decrypts the object. |
|
InitiateMultipartUpload |
Initiates a multipart upload and the multipart encryption context (EncryptionMultiPartContext). |
|
UploadPart |
Uploads a part with automatic encryption. You must set the multipart encryption context when calling this operation. |
|
CompleteMultipartUpload |
Combines all parts into a complete object after all parts are uploaded. |
|
AbortMultipartUpload |
Cancels a multipart upload task and deletes all parts uploaded by the multipart upload task. |
|
ListParts |
Lists all parts that were uploaded by the multipart upload task. |
|
Advanced operation |
Description |
|
NewDownloader |
Creates a downloader instance. |
|
NewUploader |
Creates an uploader instance. |
|
OpenFile |
Creates a ReadOnlyFile instance. |
|
Auxiliary operation |
Description |
|
Unwrap |
Returns the underlying non-encryption client instance for basic operations. |
Use RSA CMKs for client-side encryption
Use RSA-based CMKs to encrypt objects in simple uploads and decrypt objects in simple downloads
Use RSA-based CMKs to encrypt objects to be uploaded by using multipart upload
Use custom CMKs
Use custom CMKs to encrypt objects in simple uploads and decrypt objects in simple downloads
References
-
For more information about client-side encryption, see Client-side encryption.
-
For more information about how to implement client-side encryption by using OSS SDK for Go, see Developer Guide.
-
For the complete sample code for simple uploads and downloads based on RSA-based CMKs, visit GitHub.
-
For the complete sample code for simple uploads and downloads based on KMS CMKs, visit GitHub.