protected async Task <byte[]> DownloadIkek(string objectKeyName, string versionId)
{
logger.Info($"download I-KEK from {objectKeyName} versionId={versionId}");
var getObject = new GetObjectRequest {
BucketName = BucketName, Key = objectKeyName
};
if (!string.IsNullOrEmpty(versionId))
{
getObject.VersionId = versionId;
}
using (var algorithm = new KMSAlgorithm(new AmazonKeyManagementServiceClient(AwsRegion), KmsCmkId))
{
var materials = new EncryptionMaterials(algorithm);
using (var s3Client = GetS3EncryptionClient(materials, new AmazonS3CryptoConfiguration {
RegionEndpoint = AwsRegion
}))
{
var s3Object = await s3Client.GetObjectAsync(getObject);
using (var reader = new StreamReader(s3Object.ResponseStream))
{
var fileContents = await reader.ReadToEndAsync();
return(ASCIIEncoding.UTF8.GetBytes(fileContents));
}
}
}
}
protected async Task <string> UploadIkek(string objectKeyName, byte[] ikek)
{
logger.Info($"encrypt I-KEK using {KmsCmkId}");
logger.Info($"upload I-KEK to {objectKeyName}");
using (var algorithm = new KMSAlgorithm(new AmazonKeyManagementServiceClient(AwsRegion), KmsCmkId))
{
var materials = new EncryptionMaterials(algorithm);
using (var s3Client = GetS3EncryptionClient(materials, new AmazonS3CryptoConfiguration {
RegionEndpoint = AwsRegion
}))
{
var putRequest = new PutObjectRequest
{
BucketName = BucketName,
Key = objectKeyName,
InputStream = new MemoryStream(ikek),
ContentType = "application/octet-stream",
ServerSideEncryptionKeyManagementServiceKeyId = KmsCmkId,
ServerSideEncryptionMethod = ServerSideEncryptionMethod.AWSKMS
};
var putResult = await s3Client.PutObjectAsync(putRequest);
logger.Info($"uploaded I-KEK to {objectKeyName}");
return(putResult.VersionId);
}
}
}
