| 1234567891011121314151617181920 |
- def decrypt(file_input, s3_metadata, kms_client):
- """
- Method to decrypt an S3 object with KMS based Client-side encryption (CSE).
- The object's metadata is used to fetch the encryption envelope such as
- the KMS key ID and the algorithm.
- """
- logger.info("Decrypting Object with CSE-KMS")
- alg = s3_metadata.get(HEADER_ALG, None)
- iv = base64.b64decode(s3_metadata[HEADER_IV])
- material_description = json.loads(s3_metadata[HEADER_MATDESC])
- key = s3_metadata[HEADER_KEY]
- decryption_key = base64.b64decode(key)
- aes_key = get_decryption_aes_key(decryption_key, material_description, kms_client)
- content = file_input.read()
- decrypted = (
- decrypt_gcm(content, aes_key, iv)
- if alg == ALG_GCM
- else decrypt_cbc(content, aes_key, iv)
- )
- return BytesIO(decrypted)
|
