Decrypting non-encrypted content with AmazonS3EncryptionClientV2

[simenstensas]

Hi! I've upgraded to the latest preview of AmazonS3EncryptionClientV2 and so far it works out of the box with encrypted content.

However it fails when getting non-encrypted content with message "Amazon.Runtime.AmazonServiceException: Unable to decrypt data for object [object] in bucket [bucket]". Since the metadata contains information about whether the content is encrypted or not, could one just not decrypt it if no headers are found?

If this is not possible, what could be a solution for me?

[simenstensas]

@bhoradc Is this something you know?

[bhoradc]

Hi @simenstensas,

Can you please confirm if you see the same issue with the previous versions of this library? We are assuming that you are using the version 3.0.0-preview.1.

Regards,
Chaitanya

[simenstensas]

Hi @bhoradc,

I have tested locally with a test project and it does not seem like it worked on version 2.1.2 either.
We recently started using this library as it is a 1-to-1 replacement for the AmazonS3Client (code-wise). If this library is not able to get unencrypted files I have a problem. Do you know if there is a configuration I need to set? Until then I will look further into your documentation.

[ashishdhingra]

@simenstensas We have created issue #71 from this discussion. The behavior needs to be investigated. Please follow the issue for any updates.

[ashishdhingra]

@simenstensas We had contacted Crypto Tools team (which owns Java S3 Encryption client) and got the below response:

---

The behavior to return plaintext violates the security guarantees of the library. A threat actor with write access to S3 can replace an encrypted object with a plaintext object, and the GetObject operation succeeds. This violates the integrity guarantee, i.e. that the original plaintext has not replaced with a different plaintext. Therefore, plaintext objects must be handled outside of the security boundary of the S3EC.

---

The current behavior makes sense. We would work on improving the error messaging to return exception with message like Please ensure the object you are attempting to decrypt has been encrypted using the S3 Encryption Client., rather than Amazon.Runtime.AmazonServiceException: Unable to decrypt data for object [object] in bucket [bucket] when instruction file is not found. It would be implemented as part of #71. Please track that issue for any progress.