9 kms "github.com/aliyun/alibaba-cloud-sdk-go/services/kms"
10 "github.com/aliyun/aliyun-oss-go-sdk/oss"
11 "github.com/aliyun/aliyun-oss-go-sdk/oss/crypto"
14 func SampleRsaNormalObject() {
16 client, err := oss.New("<yourEndpoint>", "<yourAccessKeyId>", "<yourAccessKeySecret>")
18 fmt.Println("Error:", err)
22 // Create a description of the master key. Once created, it cannot be modified. The master key description and the master key are one-to-one correspondence.
23 // If all objects use the same master key, the master key description can also be empty, but subsequent replacement of the master key is not supported.
24 // Because if the description is empty, it is impossible to determine which master key is used when decrypting object.
25 // It is strongly recommended that: configure the master key description(json string) for each master key, and the client should save the correspondence between them.
26 // The server does not save their correspondence
28 // Map converted by the master key description information (json string)
29 materialDesc := make(map[string]string)
30 materialDesc["desc"] = "<your master encrypt key material describe information>"
32 // Create a master key object based on the master key description
33 masterRsaCipher, err := osscrypto.CreateMasterRsa(materialDesc, "<your rsa public key>", "<your rsa private key>")
35 fmt.Println("Error:", err)
39 // Create an interface for encryption based on the master key object, encrypt using aec ctr mode
40 contentProvider := osscrypto.CreateAesCtrCipher(masterRsaCipher)
42 // Get a storage space for client encryption, the bucket has to be created
43 // Client-side encrypted buckets have similar usages to ordinary buckets.
44 cryptoBucket, err := osscrypto.GetCryptoBucket(client, "<yourBucketName>", contentProvider)
46 fmt.Println("Error:", err)
50 // put object ,will be automatically encrypted
51 err = cryptoBucket.PutObject("<yourObjectName>", bytes.NewReader([]byte("yourObjectValueByteArrary")))
53 fmt.Println("Error:", err)
57 // get object ,will be automatically decrypted
58 body, err := cryptoBucket.GetObject("<yourObjectName>")
60 fmt.Println("Error:", err)
65 data, err := ioutil.ReadAll(body)
67 fmt.Println("Error:", err)
70 fmt.Println("data:", string(data))
73 func SampleRsaMultiPartObject() {
75 client, err := oss.New("<yourEndpoint>", "<yourAccessKeyId>", "<yourAccessKeySecret>")
77 fmt.Println("Error:", err)
81 // Create a description of the master key. Once created, it cannot be modified. The master key description and the master key are one-to-one correspondence.
82 // If all objects use the same master key, the master key description can also be empty, but subsequent replacement of the master key is not supported.
83 // Because if the description is empty, it is impossible to determine which master key is used when decrypting object.
84 // It is strongly recommended that: configure the master key description(json string) for each master key, and the client should save the correspondence between them.
85 // The server does not save their correspondence
87 // Map converted by the master key description information (json string)
88 materialDesc := make(map[string]string)
89 materialDesc["desc"] = "<your master encrypt key material describe information>"
91 // Create a master key object based on the master key description
92 masterRsaCipher, err := osscrypto.CreateMasterRsa(materialDesc, "<your rsa public key>", "<your rsa private key>")
94 fmt.Println("Error:", err)
98 // Create an interface for encryption based on the master key object, encrypt using aec ctr mode
99 contentProvider := osscrypto.CreateAesCtrCipher(masterRsaCipher)
101 // Get a storage space for client encryption, the bucket has to be created
102 // Client-side encrypted buckets have similar usages to ordinary buckets.
103 cryptoBucket, err := osscrypto.GetCryptoBucket(client, "<yourBucketName>", contentProvider)
105 fmt.Println("Error:", err)
109 fileName := "<yourLocalFilePath>"
110 fileInfo, err := os.Stat(fileName)
112 fmt.Println("Error:", err)
115 fileSize := fileInfo.Size()
117 // Encryption context information
118 var cryptoContext osscrypto.PartCryptoContext
119 cryptoContext.DataSize = fileSize
121 // The expected number of parts, the actual number of parts is subject to subsequent calculations.
122 expectPartCount := int64(10)
124 //Currently aes ctr encryption block size requires 16 byte alignment
125 cryptoContext.PartSize = (fileSize / expectPartCount / 16) * 16
127 imur, err := cryptoBucket.InitiateMultipartUpload("<yourObjectName>", &cryptoContext)
129 fmt.Println("Error:", err)
133 chunks, err := oss.SplitFileByPartSize(fileName, cryptoContext.PartSize)
135 fmt.Println("Error:", err)
139 var partsUpload []oss.UploadPart
140 for _, chunk := range chunks {
141 part, err := cryptoBucket.UploadPartFromFile(imur, fileName, chunk.Offset, chunk.Size, (int)(chunk.Number), cryptoContext)
143 fmt.Println("Error:", err)
146 partsUpload = append(partsUpload, part)
150 _, err = cryptoBucket.CompleteMultipartUpload(imur, partsUpload)
152 fmt.Println("Error:", err)
157 // Query the master key according to the master key description information.
158 // If you need to decrypt different master key encryption objects, you need to provide this interface.
159 type MockRsaManager struct {
162 func (mg *MockRsaManager) GetMasterKey(matDesc map[string]string) ([]string, error) {
164 keyList := []string{"<yourRsaPublicKey>", "<yourRsaPrivatKey>"}
168 // Decrypt the object encrypted by different master keys
169 func SampleMultipleMasterRsa() {
171 client, err := oss.New("<yourEndpoint>", "<yourAccessKeyId>", "<yourAccessKeySecret>")
173 fmt.Println("Error:", err)
177 // Create a description of the master key. Once created, it cannot be modified. The master key description and the master key are one-to-one correspondence.
178 // If all objects use the same master key, the master key description can also be empty, but subsequent replacement of the master key is not supported.
179 // Because if the description is empty, it is impossible to determine which master key is used when decrypting object.
180 // It is strongly recommended that: configure the master key description(json string) for each master key, and the client should save the correspondence between them.
181 // The server does not save their correspondence
183 // Map converted by the master key description information (json string)
184 materialDesc := make(map[string]string)
185 materialDesc["desc"] = "<your master encrypt key material describe information>"
187 // Create a master key object based on the master key description
188 masterRsaCipher, err := osscrypto.CreateMasterRsa(materialDesc, "<your rsa public key>", "<your rsa private key>")
190 fmt.Println("Error:", err)
194 // Create an interface for encryption based on the master key object, encrypt using aec ctr mode
195 contentProvider := osscrypto.CreateAesCtrCipher(masterRsaCipher)
197 // If you need to decrypt objects encrypted by different ma keys, you need to provide this interface.
198 var mockRsaManager MockRsaManager
199 var options []osscrypto.CryptoBucketOption
200 options = append(options, osscrypto.SetMasterCipherManager(&mockRsaManager))
202 // Get a storage space for client encryption, the bucket has to be created
203 // Client-side encrypted buckets have similar usages to ordinary buckets.
204 cryptoBucket, err := osscrypto.GetCryptoBucket(client, "<yourBucketName>", contentProvider, options...)
206 fmt.Println("Error:", err)
210 // put object ,will be automatically encrypted
211 err = cryptoBucket.PutObject("<yourObjectName>", bytes.NewReader([]byte("yourObjectValueByteArrary")))
213 fmt.Println("Error:", err)
217 // get object ,will be automatically decrypted
218 body, err := cryptoBucket.GetObject("<otherObjectNameEncryptedWithOtherRsa>")
220 fmt.Println("Error:", err)
225 data, err := ioutil.ReadAll(body)
227 fmt.Println("Error:", err)
230 fmt.Println("data:", string(data))
233 func SampleKmsNormalObject() {
235 client, err := oss.New("<yourEndpoint>", "<yourAccessKeyId>", "<yourAccessKeySecret>")
237 fmt.Println("Error:", err)
242 kmsClient, err := kms.NewClientWithAccessKey("<yourKmsRegion>", "<yourKmsAccessKeyId>", "<yourKmsAccessKeySecret>")
244 fmt.Println("Error:", err)
248 // Create a description of the master key. Once created, it cannot be modified. The master key description and the master key are one-to-one correspondence.
249 // If all objects use the same master key, the master key description can also be empty, but subsequent replacement of the master key is not supported.
250 // Because if the description is empty, it is impossible to determine which master key is used when decrypting object.
251 // It is strongly recommended that: configure the master key description(json string) for each master key, and the client should save the correspondence between them.
252 // The server does not save their correspondence
254 // Map converted by the master key description information (json string)
255 materialDesc := make(map[string]string)
256 materialDesc["desc"] = "<your kms encrypt key material describe information>"
258 // Create a master key object based on the master key description
259 masterkmsCipher, err := osscrypto.CreateMasterAliKms(materialDesc, "<YourKmsId>", kmsClient)
261 fmt.Println("Error:", err)
265 // Create an interface for encryption based on the master key object, encrypt using aec ctr mode
266 contentProvider := osscrypto.CreateAesCtrCipher(masterkmsCipher)
268 // Get a storage space for client encryption, the bucket has to be created
269 // Client-side encrypted buckets have similar usages to ordinary buckets.
270 cryptoBucket, err := osscrypto.GetCryptoBucket(client, "<yourBucketName>", contentProvider)
272 fmt.Println("Error:", err)
276 // put object ,will be automatically encrypted
277 err = cryptoBucket.PutObject("<yourObjectName>", bytes.NewReader([]byte("yourObjectValueByteArrary")))
279 fmt.Println("Error:", err)
283 // get object ,will be automatically decrypted
284 body, err := cryptoBucket.GetObject("<yourObjectName>")
286 fmt.Println("Error:", err)
291 data, err := ioutil.ReadAll(body)
293 fmt.Println("Error:", err)
296 fmt.Println("data:", string(data))
300 SampleRsaNormalObject()
301 SampleRsaMultiPartObject()
302 SampleMultipleMasterRsa()
303 SampleKmsNormalObject()