This documentation describes the Amazon S3 Encryption Client version 3.x, which is an independent library. For information about previous versions of the Amazon S3 Encryption Client, see the AWS SDK Developer Guide for your programming language.

The Amazon S3 Encryption Client is a client-side encryption library that enables you to encrypt an object locally to ensure its security before passing it to Amazon Simple Storage Service (Amazon S3). Amazon S3 receives your object already encrypted; it does not play a role in encrypting or decrypting it. After you instantiate the Amazon S3 Encryption Client, your objects are automatically encrypted and decrypted as part of your Amazon S3 PutObject and GetObject requests. The Amazon S3 Encryption Client is provided free of charge under the Apache 2.0 license.

The Amazon S3 Encryption Client is supported in the following programming languages and platforms. This guide focuses on version 3.x of the Amazon S3 Encryption Client for Java, which is provided in the amazon-s3-encryption-client-java GitHub repository. For more information on the remaining language implementations, see their respective AWS SDK Developer Guides.

C++ (AWS SDK for C++)

Go (AWS SDK for Go)

Java (amazon-s3-encryption-client-java repository)

.NET (v2) (AWS SDK for .NET)

Ruby (v2) (AWS SDK for Ruby)

PHP (v3) (AWS SDK for PHP)

The Amazon S3 Encryption Client provides:

By default, the Amazon S3 Encryption Client generates a unique data key for each object that it encrypts. This follows the cryptography best practice of using unique data keys for each encryption operation.

The Amazon S3 Encryption Client encrypts your objects using a secure, authenticated, symmetric key algorithm.

The Amazon S3 Encryption Client protects the data keys that encrypt your objects by encrypting them under a wrapping key. With the Amazon S3 Encryption Client, you define a wrapping key by passing the key to the Amazon S3 Encryption Client, which it uses to optimize its settings.