I have been using AWS SDK V3 for PHP to put object to S3 with Server side encryption using customer provided key. The documentation is quite sketchy (or at least I havent found it).
For uploading the object using the S3client, I use putobject with
$params['SSECustomerAlgorithm'] = 'AES256'; $params['SSECustomerKey'] = $this->encryptioncustkey; $params['SSECustomerKeyMD5'] = $this->encryptioncustkeymd5;
The $this->encryptioncustkey is a plain customer key (not base64_encoded because the SDK seems to be doing that) and this->encryptioncustkeymd5 = md5($this->encryptioncustkey,true);
The put object works fine. However, the problem is in generating a createSignedURL.
$cmd = $client->getCommand('GetObject', array( 'Bucket' => $bucket, 'Key' => $storedPath, 'ResponseContentDisposition' => 'attachment;charset=utf-8;filename="'.utf8_encode($fileName).'"', 'ResponseContentType' => $ctype, 'SSECustomerAlgorithm' => 'AES256', 'SSECustomerKey' => $this->encryptioncustkey, 'SSECustomerKeyMD5' => $this->encryptioncustkey64md5 ));
but I get a weird response indicating that it is missing "x-amz-server-side-encryption" (ServerSideEncryption) which according to documentation is not required for SSE-C. Even if I set it to ServerSideEncryption='AES256' it has no effect.
<Error> <Code>InvalidArgument</Code> <Message> Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key. </Message> <ArgumentName>x-amz-server-side-encryption</ArgumentName> <ArgumentValue>null</ArgumentValue> <RequestId>A3368F6CE5DD310D</RequestId> <HostId> nHavXXz/gFOoJT0tnh+wgFTbTgGdpggRkyb0sDh07H7SomcX7HrcKU1dDzgZimrQwyaVQEqAjdk= </HostId> </Error>
I was running into the same issue and tried every possible permutation to try to get it to work. I finally concluded that this use case is not supported. Reading through the scattered and arcane documentation on the subject, it seems the only way to access SSE-C content on S3 is by specifying the
x-amz-server-side-encryption-customer-key-MD5 fields in the HTTP request header, not in the URL.
What I ended up doing is to store the content in question in S3 unencrypted and with the ACL set to
private (you could upload it as such from the get go, or use
copyObject() to make a copy with those settings). Then, when I wanted to get the ["time-bombed"] pre-signed URL for the GET request, I just used the command similar to the one in your question, but omitting the SSE parameters. That worked for me.