How to supply a key on the command line that's not Base 64 encoded

4
votes

Regarding the AWS S3 tool "sync" and a "customer-provided encryption key", it says here,

--sse-c-key (string) The customer-provided encryption key to use to server-side encrypt the object in S3. If you provide this value, --sse-c be specfied as well. The key provided should not be base64 encoded.

How does one supply a key on the command line that is not base64 encoded?

If the key is not base64 encoded, then surely some of the key's bytes would not be expressible as characters?

1
amazon-web-servicesamazon-s3aws-cli
$ echo -e "\x75\x73\x65\x20\x68\x65\x78\x20\x65\x73\x63\x61\x70\x65\x73\x3F" - Michael - sqlbot
Why didn't you put that as an answer? - Ian Warburton
Honestly? Because I was guessing. :) I've never tried SSE-C with aws-cli. Does it work for you? - Michael - sqlbot
Using your key, its says, "The secret key was invalid for the specified algorthm". - Ian Warburton
My "key" isn't a key. It decodes to "use hex escapes?" - Michael - sqlbot

1 Answers

6
votes

At first glance, this seems like a HUGE oversight in the aws cli. However, buried deep in the CLI documentation is a blurb on how to provide binary data on the command line.

https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters-file.html (updated link per @Chris's comment)

This did in fact work for me...

aws s3 cp --sse-c AES256 --sse-c-key fileb://key.bin large_file s3://mybucket/

The fileb:// part is the answer