adding s3 encryption examples

Author: soo-aws

doc_source/document-history.rst

@@ -16,6 +16,10 @@ This topic describes important changes to the |sdk-java-dg| over the course of i
 
 **This documentation was built on:** |today|
 
+Nov 2, 2017
+  Added cryptography examples for |S3| encryption client, including new topics:
+  :doc:`examples-crypto` and :doc:`examples-crypto-kms` and :doc:`examples-crypto-masterkey`.
+
 Apr 14, 2017
    Made a number of updates to the :doc:`examples-s3` section, including new topics:
    :doc:`examples-s3-access-permissions` and :doc:`examples-s3-website-configuration`.
@@ -139,4 +143,3 @@ May 9, 2014
 Sep 9, 2013
    This topic, *Document History*, tracks changes to the |sdk-java-dg|. It is intended as a
    companion to the release notes history.
-

doc_source/examples-crypto-kms.rst

@@ -0,0 +1,142 @@
+.. Copyright 2010-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+   This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0
+   International License (the "License"). You may not use this file except in compliance with the
+   License. A copy of the License is located at http://creativecommons.org/licenses/by-nc-sa/4.0/.
+
+   This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+   either express or implied. See the License for the specific language governing permissions and
+   limitations under the License.
+
+###################################################
+|S3| Client-Side Encryption with |KMS| Managed Keys
+###################################################
+
+.. meta::
+   :description: How to use the cryptography configuration settings for the AWS SDK for Java
+   :keywords: cryptography, encryption, example code
+
+The following examples use the
+:aws-java-class:`AmazonS3EncryptionClientBuilder <services/s3/AmazonS3EncryptionClientBuilder>`
+to create an |S3| client with client-side encryption enabled. Once configured,
+any object you upload to |S3| using this client
+will be encrypted. Any objects you get from |S3| using this client will automatically
+be decrypted.
+
+.. note::
+   The examples here demonstrate using the |S3| client-side
+   encryption with |KMS| managed keys. To learn how to use encryption with your own keys,
+   see the :doc:`examples-crypto-masterkey` topic.
+
+You can choose from three encryption modes when enabling client-side |S3| encryption.
+The sections below show how to enable each type. To learn which algorithms each mode uses,
+see :aws-java-class:`CryptoMode <services/s3/model/CryptoMode>` definition.
+
+
+Required Imports
+================
+
+Import the following libraries for the examples on this page.
+
+**Imports**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+   :lines: 16-31
+   :language: java
+
+.. _encryption-only:
+
+Encryption only Mode
+====================
+
+This is the default mode, if no :classname:`CryptoMode` is not specified. To use |KMS|
+managed key for encryption, pass the |KMS| key ID or alias to the
+:aws-java-class:`KMSEncryptionMaterialsProvider` constructor.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+  :lines: 237-243
+  :dedent: 8
+  :language: java
+
+You can retrieve the object with the same client.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+  :lines: 249
+  :dedent: 8
+  :language: java
+
+See the :sdk-examples-java-s3:`complete example <S3Encrypt.java>`.
+
+.. _authenticated-encryption:
+
+Authenticated Encryption Mode
+=============================
+
+When :classname:`AuthenticatedEncryption` mode is used, an improved key wrapping algorithm is applied
+applied during encryption. When decrypting in this mode, the algorithm is able to verify the integrity
+of the decrypted object and throw an exception if the check fails.
+To get more details about how authenticated encryption works, see the
+:blog:`Amazon S3 Client-Side Authenticated Encryption <developer/amazon-s3-client-side-authenticated-encryption>`
+blog post.
+
+To use client-side authenticated encryption, two steps are required:
+
+    #. Include the latest `Bouncy Castle jar <https://www.bouncycastle.org/latest_releases.html>`_
+       in the classpath.
+    #. Explicitly specify the cryptographic mode of authenticated encryption when
+       instantiating an S3 encryption client.
+
+Use the :aws-java-class:`CryptoMode <service/s3/model/CryptoMode>` to specify
+:classname:`AuthenticatedEncryption`.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+   :lines: 257-263
+   :dedent: 8
+   :language: java
+
+The :classname:`AuthenticatedEncryption` mode can retrieve unencrypted objects as well as
+objects encrypted with :classname:`EncryptionOnly` mode. This example shows the
+|S3| encryption client retrieving an unencrypted object.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+   :lines: 257-270
+   :dedent: 8
+   :language: java
+
+See the :sdk-examples-java-s3:`complete example <S3Encrypt.java>`.
+
+.. _strict-authenticated-encryption:
+
+Strict Authenticated Encryption
+===============================
+
+Use the :aws-java-class:`CryptoMode <service/s3/model/CryptoMode>` to specify
+:classname:`StrictAuthenticatedEncryption`.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+   :lines: 278-284
+   :dedent: 8
+   :language: java
+
+In :classname:`StrictAuthenticatedEncryption` mode, the |S3| client will throw an
+exception when retrieving an object that was not encrypted using an
+authenticated mode.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+   :lines: 278-295
+   :dedent: 8
+   :language: java
+
+See the :sdk-examples-java-s3:`complete example <S3Encrypt.java>`.

doc_source/examples-crypto-masterkey.rst

@@ -0,0 +1,153 @@
+.. Copyright 2010-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+   This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0
+   International License (the "License"). You may not use this file except in compliance with the
+   License. A copy of the License is located at http://creativecommons.org/licenses/by-nc-sa/4.0/.
+
+   This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+   either express or implied. See the License for the specific language governing permissions and
+   limitations under the License.
+
+##########################################################
+|S3| Client-Side Encryption with Client Master Keys
+##########################################################
+
+.. meta::
+   :description: How to use the cryptography configuration settings for the AWS SDK for Java
+   :keywords: cryptography, encryption, example code
+
+The following examples use the
+:aws-java-class:`AmazonS3EncryptionClientBuilder <services/s3/AmazonS3EncryptionClientBuilder>`
+to create an |S3| client with client-side encryption enabled. Once configured,
+any object you upload to |S3| using this client
+will be encrypted. Any objects you get from |S3| using this client will automatically
+be decrypted.
+
+.. note::
+   The examples here demonstrate using the |S3| client-side
+   encryption with customer managed client master keys. To learn how to use encryption
+   with |KMS| managed keys, see the :doc:`examples-crypto-kms` topic.
+
+You can choose from three encryption modes when enabling client-side |S3| encryption.
+The sections below show how to enable each type. To learn which algorithms each mode uses,
+see :aws-java-class:`CryptoMode <services/s3/model/CryptoMode>` definition.
+
+Required Imports
+================
+
+Import the following libraries for the examples on this page.
+
+**Imports**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+   :lines: 16-24,26-31
+   :language: java
+
+.. _encryption-only:
+
+Encryption only Mode
+====================
+
+This is the default mode, if no :classname:`CryptoMode` is not specified. To use a
+symmetric key for encryption, pass the symmetric key to the
+:aws-java-class:`EncryptionMaterials` constructor. The example below uses
+the Java class :class:`KeyGenerator` to generate a symmetric private key.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+  :lines: 198-204
+  :dedent: 8
+  :language: java
+
+To use an asymmetric key, simply pass the key pair to the same class
+:aws-java-class:`EncryptionMaterials`. The example below uses the
+:class:`KeyPairGenerator` class to generate a key pair.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+  :lines: 217-223
+  :dedent: 8
+  :language: java
+
+You can retrieve the object with the same client.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+  :lines: 229
+  :dedent: 8
+  :language: java
+
+See the :sdk-examples-java-s3:`complete example <S3Encrypt.java>`.
+
+.. _authenticated-encryption:
+
+Authenticated Encryption Mode
+=============================
+
+When :classname:`AuthenticatedEncryption` mode is used, an improved key wrapping algorithm is applied
+applied during encryption. When decrypting in this mode, the algorithm is able to verify the integrity
+of the decrypted object and throw an exception if the check fails.
+To get more details about how authenticated encryption works, see the
+:blog:`Amazon S3 Client-Side Authenticated Encryption <developer/amazon-s3-client-side-authenticated-encryption>`
+blog post.
+
+To use client-side authenticated encryption, two steps are required:
+
+    #. Include the latest `Bouncy Castle jar <https://www.bouncycastle.org/latest_releases.html>`_
+       in the classpath.
+    #. Explicitly specify the cryptographic mode of authenticated encryption when
+       instantiating an S3 encryption client.
+
+Use the :aws-java-class:`CryptoMode <service/s3/model/CryptoMode>` to specify
+:classname:`AuthenticatedEncryption`.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+   :lines: 67-72
+   :dedent: 8
+   :language: java
+
+The :classname:`AuthenticatedEncryption` mode can retrieve unencrypted objects as well as
+objects encrypted with :classname:`EncryptionOnly` mode. This example shows the
+|S3| encryption client retrieving an unencrypted object.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+   :lines: 66-79
+   :dedent: 8
+   :language: java
+
+See the :sdk-examples-java-s3:`complete example <S3Encrypt.java>`.
+
+.. _strict-authenticated-encryption:
+
+Strict Authenticated Encryption
+===============================
+
+Use the :aws-java-class:`CryptoMode <service/s3/model/CryptoMode>` to specify
+:classname:`StrictAuthenticatedEncryption`.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+   :lines: 132-137
+   :dedent: 8
+   :language: java
+
+In :classname:`StrictAuthenticatedEncryption`, the |S3| client will throw an
+exception when retrieving an object that was not encrypted using an
+authenticated mode.
+
+**Code**
+
+.. literalinclude:: example_code/s3/src/main/java/aws/example/s3/S3Encrypt.java
+   :lines: 131-149
+   :dedent: 8
+   :language: java
+
+See the :sdk-examples-java-s3:`complete example <S3Encrypt.java>`.

doc_source/examples-crypto.rst

@@ -0,0 +1,35 @@
+.. Copyright 2010-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+
+   This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0
+   International License (the "License"). You may not use this file except in compliance with the
+   License. A copy of the License is located at http://creativecommons.org/licenses/by-nc-sa/4.0/.
+
+   This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+   either express or implied. See the License for the specific language governing permissions and
+   limitations under the License.
+
+#################################
+Using |S3| Client-Side Encryption
+#################################
+
+.. meta::
+   :description: How to use the cryptography configuration settings for the AWS SDK for Java
+   :keywords: cryptography, encryption, example code
+
+Encrypting data using the |S3| encryption client is one way you can provide an
+additional layer of protection for sensitive information you store in |S3|.
+If you are new to cryptography,
+see the :KMS-dg:`Cryptography Basics <crypto-intro>` in the |KMS-dg| for a basic overview of
+cryptography terms and algorithms.
+
+.. include:: includes/examples-note.txt
+
+.. toctree::
+    :titlesonly:
+    :maxdepth: 1
+
+    examples-crypto-masterkey
+    examples-crypto-kms
+
+For information about cryptography support across all AWS SDKs, see
+:AWS-gr:`AWS SDK Support for Amazon S3 Client-Side Encryption <aws_sdk_cryptography>` in the |AWS-gr|.

doc_source/examples-s3.rst

@@ -31,3 +31,4 @@ This section provides examples of programming |S3|_ using the |sdk-java|_.
     examples-s3-bucket-policies
     examples-s3-transfermanager
     examples-s3-website-configuration
+    examples-crypto