# Get started with encryption for Amazon S3 objects using an AWS SDK
The following code example shows how to get started with encryption for Amazon S3 objects.
------
#### [ .NET ]
**SDK for .NET**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/S3/SSEClientEncryptionExample#code-examples).
```
using System;
using System.IO;
using System.Security.Cryptography;
using System.Threading.Tasks;
using Amazon.S3;
using Amazon.S3.Model;
///
/// This example shows how to apply client encryption to an object in an
/// Amazon Simple Storage Service (Amazon S3) bucket.
///
public class SSEClientEncryption
{
public static async Task Main()
{
string bucketName = "amzn-s3-demo-bucket";
string keyName = "exampleobject.txt";
string copyTargetKeyName = "examplecopy.txt";
// If the AWS Region defined for your default user is different
// from the Region where your Amazon S3 bucket is located,
// pass the Region name to the Amazon S3 client object's constructor.
// For example: RegionEndpoint.USWest2.
IAmazonS3 client = new AmazonS3Client();
try
{
// Create an encryption key.
Aes aesEncryption = Aes.Create();
aesEncryption.KeySize = 256;
aesEncryption.GenerateKey();
string base64Key = Convert.ToBase64String(aesEncryption.Key);
// Upload the object.
PutObjectRequest putObjectRequest = await UploadObjectAsync(client, bucketName, keyName, base64Key);
// Download the object and verify that its contents match what you uploaded.
await DownloadObjectAsync(client, bucketName, keyName, base64Key, putObjectRequest);
// Get object metadata and verify that the object uses AES-256 encryption.
await GetObjectMetadataAsync(client, bucketName, keyName, base64Key);
// Copy both the source and target objects using server-side encryption with
// an encryption key.
await CopyObjectAsync(client, bucketName, keyName, copyTargetKeyName, aesEncryption, base64Key);
}
catch (AmazonS3Exception ex)
{
Console.WriteLine($"Error: {ex.Message}");
}
}
///
/// Uploads an object to an Amazon S3 bucket.
///
/// The initialized Amazon S3 client object used to call
/// PutObjectAsync.
/// The name of the Amazon S3 bucket to which the
/// object will be uploaded.
/// The name of the object to upload to the Amazon S3
/// bucket.
/// The encryption key.
/// The PutObjectRequest object for use by DownloadObjectAsync.
public static async Task UploadObjectAsync(
IAmazonS3 client,
string bucketName,
string keyName,
string base64Key)
{
PutObjectRequest putObjectRequest = new PutObjectRequest
{
BucketName = bucketName,
Key = keyName,
ContentBody = "sample text",
ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256,
ServerSideEncryptionCustomerProvidedKey = base64Key,
};
PutObjectResponse putObjectResponse = await client.PutObjectAsync(putObjectRequest);
return putObjectRequest;
}
///
/// Downloads an encrypted object from an Amazon S3 bucket.
///
/// The initialized Amazon S3 client object used to call
/// GetObjectAsync.
/// The name of the Amazon S3 bucket where the object
/// is located.
/// The name of the Amazon S3 object to download.
/// The encryption key used to encrypt the
/// object.
/// The PutObjectRequest used to upload
/// the object.
public static async Task DownloadObjectAsync(
IAmazonS3 client,
string bucketName,
string keyName,
string base64Key,
PutObjectRequest putObjectRequest)
{
GetObjectRequest getObjectRequest = new GetObjectRequest
{
BucketName = bucketName,
Key = keyName,
// Provide encryption information for the object stored in Amazon S3.
ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256,
ServerSideEncryptionCustomerProvidedKey = base64Key,
};
using (GetObjectResponse getResponse = await client.GetObjectAsync(getObjectRequest))
using (StreamReader reader = new StreamReader(getResponse.ResponseStream))
{
string content = reader.ReadToEnd();
if (string.Compare(putObjectRequest.ContentBody, content) == 0)
{
Console.WriteLine("Object content is same as we uploaded");
}
else
{
Console.WriteLine("Error...Object content is not same.");
}
if (getResponse.ServerSideEncryptionCustomerMethod == ServerSideEncryptionCustomerMethod.AES256)
{
Console.WriteLine("Object encryption method is AES256, same as we set");
}
else
{
Console.WriteLine("Error...Object encryption method is not the same as AES256 we set");
}
}
}
///
/// Retrieves the metadata associated with an Amazon S3 object.
///
/// The initialized Amazon S3 client object used
/// to call GetObjectMetadataAsync.
/// The name of the Amazon S3 bucket containing the
/// object for which we want to retrieve metadata.
/// The name of the object for which we wish to
/// retrieve the metadata.
/// The encryption key associated with the
/// object.
public static async Task GetObjectMetadataAsync(
IAmazonS3 client,
string bucketName,
string keyName,
string base64Key)
{
GetObjectMetadataRequest getObjectMetadataRequest = new GetObjectMetadataRequest
{
BucketName = bucketName,
Key = keyName,
// The object stored in Amazon S3 is encrypted, so provide the necessary encryption information.
ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256,
ServerSideEncryptionCustomerProvidedKey = base64Key,
};
GetObjectMetadataResponse getObjectMetadataResponse = await client.GetObjectMetadataAsync(getObjectMetadataRequest);
Console.WriteLine("The object metadata show encryption method used is: {0}", getObjectMetadataResponse.ServerSideEncryptionCustomerMethod);
}
///
/// Copies an encrypted object from one Amazon S3 bucket to another.
///
/// The initialized Amazon S3 client object used to call
/// CopyObjectAsync.
/// The Amazon S3 bucket containing the object
/// to copy.
/// The name of the object to copy.
/// The Amazon S3 bucket to which the object
/// will be copied.
/// The encryption type to use.
/// The encryption key to use.
public static async Task CopyObjectAsync(
IAmazonS3 client,
string bucketName,
string keyName,
string copyTargetKeyName,
Aes aesEncryption,
string base64Key)
{
aesEncryption.GenerateKey();
string copyBase64Key = Convert.ToBase64String(aesEncryption.Key);
CopyObjectRequest copyRequest = new CopyObjectRequest
{
SourceBucket = bucketName,
SourceKey = keyName,
DestinationBucket = bucketName,
DestinationKey = copyTargetKeyName,
// Information about the source object's encryption.
CopySourceServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256,
CopySourceServerSideEncryptionCustomerProvidedKey = base64Key,
// Information about the target object's encryption.
ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256,
ServerSideEncryptionCustomerProvidedKey = copyBase64Key,
};
await client.CopyObjectAsync(copyRequest);
}
}
```
+ For API details, see the following topics in *AWS SDK for .NET API Reference*.
+ [CopyObject](https://docs.aws.amazon.com/goto/DotNetSDKV3/s3-2006-03-01/CopyObject)
+ [GetObject](https://docs.aws.amazon.com/goto/DotNetSDKV3/s3-2006-03-01/GetObject)
+ [GetObjectMetadata](https://docs.aws.amazon.com/goto/DotNetSDKV3/s3-2006-03-01/GetObjectMetadata)
------
For a complete list of AWS SDK developer guides and code examples, see [Developing with Amazon S3 using the AWS SDKs](sdk-general-information-section.md). This topic also includes information about getting started and details about previous SDK versions.