stackoom
  简体   繁体   中英

Difference between KMS encryption and S3 SSE

 原文  2019-05-03 14:03:37       python/ amazon-web-services/ amazon-s3/ boto3/ aws-kms

Question

如果我 KMS 加密文件并将该文件推送到 S3 存储桶与使用 SSE KMS 加密将文件放入 S3 存储桶有什么区别吗?

1 answers

solution1
 3 ACCPTED  2019-05-03 14:18:31

First: the KMS Encrypt operation will only accept 4K of data, so it isn't a general solution.

With S3 server-side encryption, the S3 back-end will generate a key, use that key to encrypt the data, use KMS to encrypt the key, then store the encrypted data and the encrypted key. When you read the data it does the reverse: use KMS to decrypt the key, then use the decrypted key to decrypt the data.

You could implement the same thing yourself, storing the encrypted key in the S3 object's metadata. However, this means writing code to do the object encryption yourself, and unless you are familiar with encryption it's possible that you could make a mistake.

There are some limited use-cases for client-side encryption, but in those cases you'd be using an encryption key that's not provided by KMS.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Encrypt a file using KMS and push to S3 Read a KMS encrypted file from S3 What is the difference between an S3 Object and an ObjectSummary? KMS Encryption - Local Development InvalidCiphertextException when calling kms.decrypt with S3 metadata Python - Decrypt S3 image file, encrypted with CSE KMS boto encryption key with amazon s3 What's the difference between access_control and public_read_access for S3 AWS CDK? How to use smart_open to write a stream to a KMS-encrypted S3 bucket? difference between current timestamp and last modified timestamp of an S3 file using Glue python
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM