botocore.exceptions.ClientError : Client Side KMS Encryption

Question

I am trying to encrypt a pdf file in my application with a key I created in AWS IAM and upload the encrypted file to S3. I use boto3 to achieve this. I could upload the file to S3 without encryption though. Here is my function that does the encryption :

def write(self):
    print 'Write to S3'
    client = boto3.client('kms')

    s3 = boto3.client('s3')
    input_file = open('265987747.pdf', 'rb')
    data = input_file.read()
    input_file.close()
    print type(data)
    response = client.encrypt(
        KeyId='alias/efax',
        Plaintext=data,
        EncryptionContext={
            'string': 'string'
        }
    )
    #Upload file to S3
    #s3.upload_file("265987747.pdf", "bucket_efax", "265987747.pdf")

I get this following error :

botocore.exceptions.ClientError: An error occurred (ValidationException) when calling the Encrypt operation: 1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length less than or equal to 4096

I am not sure if I am using the correct method to encrypt a file in KMS.

Answer 1

Your probably trying to encrypt data which is more than 4 KB.

As the documentation states your data cannot be more than 4 KB (your error also points that out).

You can encrypt up to 4 KB of arbitrary data such as an RSA key, a database password, or other sensitive customer information.

If you are moving encrypted data from one region to another, you can use this API to encrypt in the new region the plaintext data key that was used to encrypt the data in the original region. This provides you with an encrypted copy of the data key that can be decrypted in the new region and used there to decrypt the encrypted data.

See the docs for more info

As far as I remember boto doesn't support client side encryption of files yet.

You will have to encrypt them yourself and send them to s3, I have implemented a small code for client side encryption here for django filefield. Hope it helps