How to use S3 SSE C (Server Side Encryption with Client Provided Keys) on NodeJS

Question

How do I use SSE C encryption on NodeJS? I tried the below but got an error

s3.putObject({
  Bucket: 'mybucket',
  Body: 'Hello S3',
  ACL: 'private',
  Key: 'test.txt',
  SSECustomerAlgorithm: 'AES256',
  SSECustomerKey: '0699Exxxxxx'
}, (err) => {
  if (err) return console.error(err.stack)
  s3.getSignedUrl('getObject', {
    Key: 'test.txt',
    Expires: 60,
    SSECustomerAlgorithm: 'AES256',
    SSECustomerKey: '0699Exxxxxx'
  }, (err, data) => {
    if (err) return console.error(err.stack)
    console.log(data)
  })
})

Problem is I get "The secret key was invalid for the specified algorithm"

sails> (node:4802) DeprecationWarning: Calling an asynchronous function without callback is deprecated.
InvalidArgument: The secret key was invalid for the specified algorithm.
    at Request.extractError (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/services/s3.js:538:35)
    at Request.callListeners (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/request.js:668:14)
    at Request.transition (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/request.js:670:12)
    at Request.callListeners (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
    at Request.emit (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/request.js:668:14)
    at Request.transition (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/request.js:670:12)
    at Request.callListeners (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
    at callNextListener (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/sequential_executor.js:95:12)
    at IncomingMessage.onEnd (/home/jiewmeng/Dropbox/goldbell-server/node_modules/aws-sdk/lib/event_listeners.js:211:11)
    at emitNone (events.js:91:20)
    at IncomingMessage.emit (events.js:185:7)

Whats wrong? They key I tried using was generated like:

➜  openssl enc -d -a -md sha1 -aes-256-cbc -nosalt -p
enter aes-256-cbc decryption password:
key=0699EC90A02...
iv =433BFB13C10...

I used the key for SSECustomerKey

Answer 1

Try generating your key this way:

const ssecKey = Buffer.alloc(32, 'your key')

Then you can use it like

s3.putObject({
  Bucket: 'mybucket',
  Body: 'Hello S3',
  ACL: 'private',
  Key: 'test.txt',
  SSECustomerAlgorithm: 'AES256',
  SSECustomerKey: ssecKey
}, (err) => {
  if (err) return console.error(err.stack)

  s3.getSignedUrl('getObject', {
    Key: 'test.txt',
    Expires: 60,
    SSECustomerAlgorithm: 'AES256',
    SSECustomerKey: ssecKey
  }, (err, data) => {
    if (err) return console.error(err.stack)

    console.log(data)
  })
})