问题
Regarding the AWS S3 tool "sync" and a "customer-provided encryption key", it says here,
--sse-c-key (string) The customer-provided encryption key to use to server-side encrypt the object in S3. If you provide this value, --sse-c be specfied as well. The key provided should not be base64 encoded.
How does one supply a key on the command line that is not base64 encoded?
If the key is not base64 encoded, then surely some of the key's bytes would not be expressible as characters?
回答1:
At first glance, this seems like a HUGE oversight in the aws cli. However, buried deep in the CLI documentation is a blurb on how to provide binary data on the command line.
http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-file
This did in fact work for me...
aws s3 cp --sse-c AES256 --sse-c-key fileb://key.bin large_file s3://mybucket/
The fileb:// part is the answer
回答2:
All it expects is exactly 32 char key. AES256 keys are 32 bytes and so --sse-c-key expects 32 chars. Obviously a base64 encoded key length will be different. I agree it is unreasonable to expect a AES key chars to be in printable range of chars. I had the same issue. So instead of using some arbitrary keys, I generated AES128 keys and hex coded them which gave me 32 chars. I am not recommending it as a solution, but if fixed mine.
aws s3 sync data-dir s3://mybucket --sse-c AES256 --sse-c-key B3DBCB8D7594F0A21D3D9E0EA3B75444
来源:https://stackoverflow.com/questions/35897753/how-to-supply-a-key-on-the-command-line-thats-not-base-64-encoded