aws-encryption-sdk
The AWS Encryption SDK for Python provides a fully compliant, native Python implementation of the AWS Encryption SDK.
The latest full documentation can be found at Read the Docs.
Find us on GitHub.
See Support Policy for details on the current support status of all major versions of this library.
Getting Started
Required Prerequisites
Python 3.8+
cryptography >= 3.4.6
boto3 >= 1.10.0
attrs
Installation
Note
If you have not already installed cryptography, you might need to install additional prerequisites as detailed in the cryptography installation guide for your operating system.
$ pip install aws-encryption-sdk
Concepts
There are four main concepts that you need to understand to use this library:
Cryptographic Materials Managers
Cryptographic materials managers (CMMs) are resources that collect cryptographic materials and prepare them for use by the Encryption SDK core logic.
An example of a CMM is the default CMM, which is automatically generated anywhere a caller provides a master key provider. The default CMM collects encrypted data keys from all master keys referenced by the master key provider.
An example of a more advanced CMM is the caching CMM, which caches cryptographic materials provided by another CMM.
Master Key Providers
Master key providers are resources that provide master keys. An example of a master key provider is AWS KMS.
To encrypt data in this client, a MasterKeyProvider
object must contain at least one MasterKey
object.
MasterKeyProvider
objects can also contain other MasterKeyProvider
objects.
Master Keys
Master keys generate, encrypt, and decrypt data keys. An example of a master key is a KMS customer master key (CMK).
Data Keys
Data keys are the encryption keys that are used to encrypt your data. If your algorithm suite uses a key derivation function, the data key is used to generate the key that directly encrypts the data.
Usage
EncryptionSDKClient
To use this module, you (the caller) must first create an instance of the EncryptionSDKClient
class.
The constructor to this class accepts an optional keyword argument, commitment_policy
, that controls
which algorithm suites can be used for encryption and decryption. If no value
is provided for this argument, a default value of REQUIRE_ENCRYPT_REQUIRE_DECRYPT
is used. Unless
you have specialized performance requirements or are in the process of migrating from an older
version of the AWS Encryption SDK, we recommend using the default value.
import aws_encryption_sdk
from aws_encryption_sdk.identifiers import CommitmentPolicy
client = aws_encryption_sdk.EncryptionSDKClient(
commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
)
You must then create an instance of either a master key provider or a CMM. The examples in this
readme use the StrictAwsKmsMasterKeyProvider
class.
StrictAwsKmsMasterKeyProvider
A StrictAwsKmsMasterKeyProvider
is configured with an explicit list of AWS KMS
CMKs with which to encrypt and decrypt data. On encryption, it encrypts the plaintext with all
configured CMKs. On decryption, it only attempts to decrypt ciphertexts that have been wrapped
with a CMK that matches one of the configured CMK ARNs.
To create a StrictAwsKmsMasterKeyProvider
you must provide one or more CMKs. For providers that will only
be used for encryption, you can use any valid KMS key identifier. For providers that will be used for decryption, you
must use the key ARN; key ids, alias names, and alias ARNs are not supported.
Because the StrictAwsKmsMasterKeyProvider
uses the boto3 SDK to interact with AWS KMS,
it requires AWS Credentials.
To provide these credentials, use the standard means by which boto3 locates credentials or provide a
pre-existing instance of a botocore session
to the StrictAwsKmsMasterKeyProvider
.
This latter option can be useful if you have an alternate way to store your AWS credentials or
you want to reuse an existing instance of a botocore session in order to decrease startup costs.
If you configure the the StrictAwsKmsMasterKeyProvider
with multiple CMKs, the final message
will include a copy of the data key encrypted by each configured CMK.
import aws_encryption_sdk
kms_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(key_ids=[
'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
])
You can add CMKs from multiple regions to the StrictAwsKmsMasterKeyProvider
.
import aws_encryption_sdk
kms_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(key_ids=[
'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
'arn:aws:kms:us-west-2:3333333333333:key/33333333-3333-3333-3333-333333333333',
'arn:aws:kms:ap-northeast-1:4444444444444:key/44444444-4444-4444-4444-444444444444'
])
DiscoveryAwsKmsMasterKeyProvider
We recommend using a StrictAwsKmsMasterKeyProvider
in order to ensure that you can only
encrypt and decrypt data using the AWS KMS CMKs you expect. However, if you are unable to
explicitly identify the AWS KMS CMKs that should be used for decryption, you can instead
use a DiscoveryAwsKmsMasterKeyProvider
for decryption operations. This provider
attempts decryption of any ciphertexts as long as they match a DiscoveryFilter
that
you configure. A DiscoveryFilter
consists of a list of AWS account ids and an AWS
partition.
import aws_encryption_sdk
from aws_encryption_sdk.key_providers.kms import DiscoveryFilter
discovery_filter = DiscoveryFilter(
account_ids=['222222222222', '333333333333'],
partition='aws'
)
kms_key_provider = aws_encryption_sdk.DiscoveryAwsKmsMasterKeyProvider(
discovery_filter=discovery_filter
)
If you do not want to filter the set of allowed accounts, you can also omit the discovery_filter
argument.
Note that a DiscoveryAwsKmsMasterKeyProvider
cannot be used for encryption operations.
Encryption and Decryption
After you create an instance of an EncryptionSDKClient
and a MasterKeyProvider
, you can use either of
the client’s two encrypt
/decrypt
functions to encrypt and decrypt your data.
import aws_encryption_sdk
from aws_encryption_sdk.identifiers import CommitmentPolicy
client = aws_encryption_sdk.EncryptionSDKClient(
commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
)
kms_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(key_ids=[
'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
])
my_plaintext = b'This is some super secret data! Yup, sure is!'
my_ciphertext, encryptor_header = client.encrypt(
source=my_plaintext,
key_provider=kms_key_provider
)
decrypted_plaintext, decryptor_header = client.decrypt(
source=my_ciphertext,
key_provider=kms_key_provider
)
assert my_plaintext == decrypted_plaintext
assert encryptor_header.encryption_context == decryptor_header.encryption_context
You can provide an encryption context: a form of additional authenticating information.
import aws_encryption_sdk
from aws_encryption_sdk.identifiers import CommitmentPolicy
client = aws_encryption_sdk.EncryptionSDKClient(
commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
)
kms_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(key_ids=[
'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
])
my_plaintext = b'This is some super secret data! Yup, sure is!'
my_ciphertext, encryptor_header = client.encrypt(
source=my_plaintext,
key_provider=kms_key_provider,
encryption_context={
'not really': 'a secret',
'but adds': 'some authentication'
}
)
decrypted_plaintext, decryptor_header = client.decrypt(
source=my_ciphertext,
key_provider=kms_key_provider
)
assert my_plaintext == decrypted_plaintext
assert encryptor_header.encryption_context == decryptor_header.encryption_context
Streaming
If you are handling large files or simply do not want to put the entire plaintext or ciphertext in memory at once, you can use this library’s streaming clients directly. The streaming clients are file-like objects, and behave exactly as you would expect a Python file object to behave, offering context manager and iteration support.
import aws_encryption_sdk
from aws_encryption_sdk.identifiers import CommitmentPolicy
import filecmp
client = aws_encryption_sdk.EncryptionSDKClient(
commitment_policy=CommitmentPolicy.FORBID_ENCRYPT_ALLOW_DECRYPT
)
kms_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(key_ids=[
'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
])
plaintext_filename = 'my-secret-data.dat'
ciphertext_filename = 'my-encrypted-data.ct'
with open(plaintext_filename, 'rb') as pt_file, open(ciphertext_filename, 'wb') as ct_file:
with client.stream(
mode='e',
source=pt_file,
key_provider=kms_key_provider
) as encryptor:
for chunk in encryptor:
ct_file.write(chunk)
new_plaintext_filename = 'my-decrypted-data.dat'
with open(ciphertext_filename, 'rb') as ct_file, open(new_plaintext_filename, 'wb') as pt_file:
with client.stream(
mode='d',
source=ct_file,
key_provider=kms_key_provider
) as decryptor:
for chunk in decryptor:
pt_file.write(chunk)
assert filecmp.cmp(plaintext_filename, new_plaintext_filename)
assert encryptor.header.encryption_context == decryptor.header.encryption_context
Performance Considerations
Adjusting the frame size can significantly improve the performance of encrypt/decrypt operations with this library.
Processing each frame in a framed message involves a certain amount of overhead. If you are encrypting a large file, increasing the frame size can offer potentially significant performance gains. We recommend that you tune these values to your use-case in order to obtain peak performance.
Thread safety
The EncryptionSDKClient
and all provided CryptoMaterialsManager
are thread safe.
But instances of BaseKMSMasterKeyProvider
MUST not be shared between threads,
for the reasons outlined in the boto3 docs.
Because the BaseKMSMaterKeyProvider
creates a new boto3 sessions per region,
users do not need to create a client for every region in every thread;
a new BaseKMSMasterKeyProvider
per thread is sufficient.
(The BaseKMSMasterKeyProvider
is the internal parent class of all the KMS Providers.)
Finally, while the CryptoMaterialsCache
is thread safe,
sharing entries in that cache across threads needs to be done carefully
(see the !Note about partition name in the API Docs).
Modules
High level AWS Encryption SDK client functions. |
|
Contains exception classes for AWS Encryption SDK. |
|
AWS Encryption SDK native data structures for defining implementation-specific characteristics. |
|
Common functions and structures for use in cryptographic materials caches. |
|
Base class interface for caches for use with caching crypto material managers. |
|
Local, in-memory, LRU, cryptographic materials cache for use with caching cryptographic materials providers. |
|
Null cache: a cache which does not cache. |
|
Base class interface for Master Key Providers. |
|
Master Key Providers for use with AWS KMS |
|
Resources required for Raw Master Keys. |
|
Primitive structures for use when interacting with crypto material managers. |
|
Base class interface for crypto material managers. |
|
Caching crypto material manager. |
|
Default crypto material manager class. |
|
High level AWS Encryption SDK client for streaming objects. |
|
Public data structures for aws_encryption_sdk. |
|
Internal Implementation Details |
|
Contains authentication primitives. |
|
Contains data key helper functions. |
|
Contains elliptic curve functionality. |
|
Contains encryption primitives and helper functions. |
|
Helper functions used for generating deterministic initialization vectors (IVs). |
|
Contains wrapping key primitives. |
|
Default values for AWS Encryption SDK. |
|
Formatting functions for aws_encryption_sdk. |
|
Components for handling AWS Encryption SDK message deserialization. |
|
Components for handling serialization and deserialization of encryption context data in AWS Encryption SDK messages. |
|
Components for handling AWS Encryption SDK message serialization. |
|
Helper functions for consistently obtaining str and bytes objects in both Python2 and Python3. |
|
Public data structures for aws_encryption_sdk. |
|
Helper utility functions for AWS Encryption SDK. |
Changelog
3.3.0 – 2024-05-20
Deprecation
The AWS Encryption SDK for Python no longer supports Python 3.7 as of version 3.3; only Python 3.8+ is supported.
Fixes
fix: Handle errors when decrypting multiple EDKs with raw RSA MKPs (#672 (https://github.com/aws/aws-encryption-sdk-python/pull/672))
chore: Updated description of decrypt() usage in src/aws_encryption_sdk/__init__.py (#660 (https://github.com/aws/aws-encryption-sdk-python/pull/660))
fix(CI): removed appveyor.yml (#668 (https://github.com/aws/aws-encryption-sdk-python/pull/668))
fix(CI): updated ci_test-vector-handler.yaml and ci_tests.yaml (#665 (https://github.com/aws/aws-encryption-sdk-python/pull/665))
Maintenance
feat: remove Python3.7 support (#648 (https://github.com/aws/aws-encryption-sdk-python/pull/648))
chore: Update copyright headers (#677 (https://github.com/aws/aws-encryption-sdk-python/pull/677))
chore(CFN): Changes for MPL TestVectors (#653 (https://github.com/aws/aws-encryption-sdk-python/pull/653))
3.2.0 – 2024-03-18
Features
test Python 3.12 in CI (#623 (https://github.com/josecorella/aws-encryption-sdk-python/issues/623)) (93a67d8 (https://github.com/josecorella/aws-encryption-sdk-python/commit/93a67d8a3806f560ead950e6d8898e53c4c4f9df))
update requirements and README (#638 (https://github.com/josecorella/aws-encryption-sdk-python/issues/638)) (bcead77 (https://github.com/josecorella/aws-encryption-sdk-python/commit/bcead776b022566ad8211a08e1a458375b23a356))
Fixes
CI for Decrypt Oracle (#558 (https://github.com/josecorella/aws-encryption-sdk-python/issues/558)) (6c6b732 (https://github.com/josecorella/aws-encryption-sdk-python/commit/6c6b732379197e91d2137af9f018f670a1ce500a))
deprecate python36 from chalice (#539 (https://github.com/josecorella/aws-encryption-sdk-python/issues/539)) (f8aa29f (https://github.com/josecorella/aws-encryption-sdk-python/commit/f8aa29fe98d419dac916846d7ff207685ea95307))
test: correctly invoke ec.generate_private_key (#585 (https://github.com/josecorella/aws-encryption-sdk-python/issues/585)) (560e714 (https://github.com/josecorella/aws-encryption-sdk-python/commit/560e7143ac7caf98e190b17ce2af97b7eea6be16))
update pyca range (#507 (https://github.com/josecorella/aws-encryption-sdk-python/issues/507)) (aced92c (https://github.com/josecorella/aws-encryption-sdk-python/commit/aced92c3d87dddf3e0920b9dfad4cedd2473604a))
Use FORBID_ENCRYPT_ALLOW_DECRYPT policy for decrypt oracle (#538 (https://github.com/josecorella/aws-encryption-sdk-python/issues/538)) (e91838f (https://github.com/josecorella/aws-encryption-sdk-python/commit/e91838f65705867fc95506a4323054bca24e9521))
wrong formatting python warning (#546 (https://github.com/josecorella/aws-encryption-sdk-python/issues/546)) (9b618d3 (https://github.com/josecorella/aws-encryption-sdk-python/commit/9b618d3a5e517435304a891393fefcbbd89faf65))
Maintenance
Add example for custom KMS client config (#440 (https://github.com/josecorella/aws-encryption-sdk-python/issues/440)) (08f305a (https://github.com/josecorella/aws-encryption-sdk-python/commit/08f305a9b7b5fc897d9cafac55fb98f3f2a6fe13))
Add Thread safety section to README (#562 (https://github.com/josecorella/aws-encryption-sdk-python/issues/562)) (7a07b16 (https://github.com/josecorella/aws-encryption-sdk-python/commit/7a07b161d51900066c131627f9f7330acb926d3b))
bump deps & document upstream test (#646 (https://github.com/josecorella/aws-encryption-sdk-python/issues/646)) (a93ffe7 (https://github.com/josecorella/aws-encryption-sdk-python/commit/a93ffe7a98f8913040f6a693701ba287dd1570fb))
CFN: Commit existing CFN (#636 (https://github.com/josecorella/aws-encryption-sdk-python/issues/636)) (c122076 (https://github.com/josecorella/aws-encryption-sdk-python/commit/c12207621d295b335fdfb500c2b02694cc6786d8))
ci: skip pyenv installation if already exists (#627 (https://github.com/josecorella/aws-encryption-sdk-python/issues/627)) (1006758 (https://github.com/josecorella/aws-encryption-sdk-python/commit/10067581cd3316fbb379929806db6867e4cb0feb))
deps: bump actions/checkout from 3 to 4 (#607 (https://github.com/josecorella/aws-encryption-sdk-python/issues/607)) (e5c331b (https://github.com/josecorella/aws-encryption-sdk-python/commit/e5c331b68590825b55b5300ffab6dc80fbd20818))
deps: bump actions/setup-python from 2 to 4.2.0 (#491 (https://github.com/josecorella/aws-encryption-sdk-python/issues/491)) (d064bf8 (https://github.com/josecorella/aws-encryption-sdk-python/commit/d064bf8813d25e1ba4a8cce7269b8ee48acfd79a))
deps: bump cryptography from 39.0.0 to 39.0.1 in /test (#559 (https://github.com/josecorella/aws-encryption-sdk-python/issues/559)) (6468137 (https://github.com/josecorella/aws-encryption-sdk-python/commit/646813786c6250a525afb67bebc486eda206edd8))
deps: bump cryptography from 39.0.1 to 41.0.2 in /test (#592 (https://github.com/josecorella/aws-encryption-sdk-python/issues/592)) (3ba8019 (https://github.com/josecorella/aws-encryption-sdk-python/commit/3ba8019681ed95c41bb9448f0c3897d1aecc7559))
deps: bump cryptography from 41.0.2 to 41.0.6 in /test (#626 (https://github.com/josecorella/aws-encryption-sdk-python/issues/626)) (c67e6bd (https://github.com/josecorella/aws-encryption-sdk-python/commit/c67e6bd471b30e13cc7f1b724ce7d19df2380c22))
deps: bump dependabot/fetch-metadata from 1.3.0 to 1.3.6 (#549 (https://github.com/josecorella/aws-encryption-sdk-python/issues/549)) (2a6bd9d (https://github.com/josecorella/aws-encryption-sdk-python/commit/2a6bd9d70c779655077985c544df3db6a3518443))
deps: bump flake8-bugbear in /dev_requirements (#512 (https://github.com/josecorella/aws-encryption-sdk-python/issues/512)) (93f01d6 (https://github.com/josecorella/aws-encryption-sdk-python/commit/93f01d655d6bce704bd8779cc9c4acb5f96b980c))
deps: bump flake8-docstrings in /dev_requirements (#555 (https://github.com/josecorella/aws-encryption-sdk-python/issues/555)) (bd8f270 (https://github.com/josecorella/aws-encryption-sdk-python/commit/bd8f270c8717e5d4a787d33bcfda8b53bbe7751e))
deps: bump flake8-print from 4.0.0 to 5.0.0 in /dev_requirements (#554 (https://github.com/josecorella/aws-encryption-sdk-python/issues/554)) (2326531 (https://github.com/josecorella/aws-encryption-sdk-python/commit/232653188558379bceeb884b3f74b56b07560f62))
deps: bump isort from 5.10.1 to 5.11.4 in /dev_requirements (#551 (https://github.com/josecorella/aws-encryption-sdk-python/issues/551)) (36a0ea2 (https://github.com/josecorella/aws-encryption-sdk-python/commit/36a0ea2199872d6590691b53fbea7aee2236a99e))
deps: bump pytest from 7.0.1 to 7.2.0 in /dev_requirements (#524 (https://github.com/josecorella/aws-encryption-sdk-python/issues/524)) (af98302 (https://github.com/josecorella/aws-encryption-sdk-python/commit/af983024fdd800e6b2c4ae41cdf1617c982e4916))
deps: bump pytest from 7.2.0 to 7.2.1 in /dev_requirements (#553 (https://github.com/josecorella/aws-encryption-sdk-python/issues/553)) (48f96d5 (https://github.com/josecorella/aws-encryption-sdk-python/commit/48f96d58eeb712a5faa631ce4f4930d5d23bb649))
deps: bump pytest-cov from 3.0.0 to 4.0.0 in /dev_requirements (#550 (https://github.com/josecorella/aws-encryption-sdk-python/issues/550)) (6e436e1 (https://github.com/josecorella/aws-encryption-sdk-python/commit/6e436e13ce250759a499c3d9c820384cfc26283c))
deps: bump readme-renderer from 34.0 to 37.3 in /dev_requirements (#526 (https://github.com/josecorella/aws-encryption-sdk-python/issues/526)) (38aa063 (https://github.com/josecorella/aws-encryption-sdk-python/commit/38aa06309ad8ad709044c86ac6b4951739fbf996))
deps: bump setuptools from 62.0.0 to 66.1.1 in /dev_requirements (#547 (https://github.com/josecorella/aws-encryption-sdk-python/issues/547)) (04e8c16 (https://github.com/josecorella/aws-encryption-sdk-python/commit/04e8c167273357a9548ff474c527805d8764a661))
deps: bump sphinx from 4.4.0 to 5.3.0 in /dev_requirements (#523 (https://github.com/josecorella/aws-encryption-sdk-python/issues/523)) (51cb2ce (https://github.com/josecorella/aws-encryption-sdk-python/commit/51cb2ce148bc7e048587b013337f2440b53c1387))
deps: bump tox from 3.24.5 to 3.27.1 in /dev_requirements (#528 (https://github.com/josecorella/aws-encryption-sdk-python/issues/528)) (e2c834a (https://github.com/josecorella/aws-encryption-sdk-python/commit/e2c834ac5c4a9ca65db2b225e794f7ddf4d89cc4))
deps: bump urllib3 from 1.26.14 to 1.26.18 in /test (#618 (https://github.com/josecorella/aws-encryption-sdk-python/issues/618)) (bbb2281 (https://github.com/josecorella/aws-encryption-sdk-python/commit/bbb2281ed61f8fc8700e31d9828753531c8e586f))
deps: bump vulture from 2.3 to 2.6 in /dev_requirements (#533 (https://github.com/josecorella/aws-encryption-sdk-python/issues/533)) (2822364 (https://github.com/josecorella/aws-encryption-sdk-python/commit/28223646b4c48b2508ca46e3084689988abd2d27))
deps: bump wheel from 0.37.1 to 0.38.4 in /dev_requirements (#536 (https://github.com/josecorella/aws-encryption-sdk-python/issues/536)) (1922650 (https://github.com/josecorella/aws-encryption-sdk-python/commit/19226506ad33f5b964fe6632604425923f6ba8c1))
drop py3.6 from Oracle & Test Vectors (#529 (https://github.com/josecorella/aws-encryption-sdk-python/issues/529)) (8b6a493 (https://github.com/josecorella/aws-encryption-sdk-python/commit/8b6a49388c85785a22d59430007b7873ac8acf96))
drop py36 support (#530 (https://github.com/josecorella/aws-encryption-sdk-python/issues/530)) (a753ff8 (https://github.com/josecorella/aws-encryption-sdk-python/commit/a753ff884fe3000881c7d3a2392a0b5d65cfa138))
release: add api token to prod release process (#503 (https://github.com/josecorella/aws-encryption-sdk-python/issues/503)) (333c85b (https://github.com/josecorella/aws-encryption-sdk-python/commit/333c85b40b8ee20ed6303b9775e7fb9a6c6d2c63))
release: add api token to staging release process (#502 (https://github.com/josecorella/aws-encryption-sdk-python/issues/502)) (78e43b3 (https://github.com/josecorella/aws-encryption-sdk-python/commit/78e43b38a5b9df9a925084242a230fccf91476f2))
rm upstream-py27 (#564 (https://github.com/josecorella/aws-encryption-sdk-python/issues/564)) (b378508 (https://github.com/josecorella/aws-encryption-sdk-python/commit/b3785085b7c00fef27a250abf78549d6e7928802))
SupportPolicy: Mark 1.x & 2.x End-of-Support (#501 (https://github.com/josecorella/aws-encryption-sdk-python/issues/501)) (ca58e5e (https://github.com/josecorella/aws-encryption-sdk-python/commit/ca58e5e0ce373e9ae5132bb5ce95b6886a0a37d3))
3.1.1 – 2022-06-20
Maintenance
Replace deprecated cryptography
verify_interface
withisinstance
#467
3.1.0 – 2021-11-10
Deprecation
The AWS Encryption SDK for Python no longer supports Python 3.5 as of version 3.1; only Python 3.6+ is supported. Customers using Python 3.5 can still use the 2.x line of the AWS Encryption SDK for Python, which will continue to receive security updates, in accordance with our Support Policy.
Feature
Warn on Deprecated Python usage #368
Add Python 3.10 to CI
Remove Python 3.5 from testing
3.0.0 – 2021-07-01
Deprecation
The AWS Encryption SDK for Python no longer supports Python 2 or Python 3.4 as of major version 3.x; only Python 3.5+ is supported. Customers using Python 2 or Python 3.4 can still use the 2.x line of the AWS Encryption SDK for Python, which will continue to receive security updates for the next 12 months, in accordance with our Support Policy.
Maintenance
Move away from deprecated cryptography
int_from_bytes
#355
2.4.0 – 2021-07-01
Deprecation Announcement
The AWS Encryption SDK for Python is discontinuing support for Python 2. Future major versions of this library will drop support for Python 2 and begin to adopt changes that are known to break Python 2.
Support for Python 3.4 will be removed at the same time. Moving forward, we will support Python 3.5+.
Security updates will still be available for the Encryption SDK 2.x line for the next 12 months, in accordance with our Support Policy.
2.3.0 – 2021-06-16
Features
AWS KMS multi-Region Key support
Added new the master key MRKAwareKMSMasterKey and the new master key providers MRKAwareStrictAwsKmsMasterKeyProvider and MRKAwareDiscoveryAwsKmsMasterKeyProvider that support AWS KMS multi-Region Keys.
See https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html for more details about AWS KMS multi-Region Keys. See https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/configure.html#config-mrks for more details about how the AWS Encryption SDK interoperates with AWS KMS multi-Region keys.
2.2.0 – 2021-05-27
Features
Improvements to the message decryption process
See https://github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-x5h4-9gqw-942j.
2.1.0 – 2020-04-20
Maintenance
New minimum cryptography dependency 2.5.0 since we’re using newer byte type checking #308
New minimum boto dependency 1.10.0 to ensure KMS Decrypt APIs know about the KeyId parameter #317
Add python 3.8 and 3.9 to CI and update setup.py to clarify we support them #329
Update decrypt oracle and test vector handlers with 2.0.0 changes #303
Added a number of CodeBuild specs to support integration tests and release processes
2.0.0 – 2020-09-24
Features
Updates to the AWS Encryption SDK. 73cce71
Breaking Changes
KMSMasterKeyProvider
is removed. Customers must useStrictAwsKmsMasterKeyProvider
with explicit key ids, orDiscoveryAwsKmsMasterKeyProvider
to allow decryption of any ciphertext to which the application has access.The
encrypt
,decrypt
, andstream
methods in theaws_encryption_sdk
module are removed, replaced by identically named methods on the newEncryptionSDKClient
class.Key committing algorithm suites are now default.
See Migration guide for more details.
1.7.0 – 2020-09-24
Features
Updates to the AWS Encryption SDK. ef90351
Deprecations
KMSMasterKeyProvider
is deprecated. Customers should move toStrictAwsKmsMasterKeyProvider
with explicit key ids, orDiscoveryAwsKmsMasterKeyProvider
to allow decryption of any ciphertext to which the application has access.The
encrypt
,decrypt
, andstream
methods in theaws_encryption_sdk
module are deprecated. Customers should move to the identically named methods on the newEncryptionSDKClient
class.
See Migration guide for more details.
1.4.1 – 2019-09-20
Bugfixes
Minor
1.4.0 – 2019-05-23
Minor
Remove dependence on all
source_stream
APIs except forread()
. #103
Potentially Backwards Incompatible
Encryption streams no longer close the
source_stream
when they themselves close. If you are using context managers for all of your stream handling, this change will not affect you. However, if you have been relying on theStreamDecryptor
orStreamEncryptor
to close yoursource_stream
for you, you will now need to close those streams yourself.StreamDecryptor.body_start
andStreamDecryptor.body_end
, deprecated in a prior release, have now been removed.
Maintenance
Move all remaining
unittest
tests topytest
. #99
Bugfixes
Fix
MasterKeyprovider.decrypt_data_key_from_list
error handling. #150
1.3.8 – 2018-11-15
Bugfixes
Remove debug logging that may contain input data when encrypting non-default unframed messages. #105
Minor
1.3.7 – 2018-09-20
Bugfixes
Fix KMSMasterKeyProvider to determine the default region before trying to create the requested master keys. #83
1.3.6 – 2018-09-04
Bugfixes
1.3.5 – 2018-08-01
Move the
aws-encryption-sdk-python
repository fromawslabs
toaws
.
1.3.4 – 2018-04-12
Bugfixes
AWS KMS master key/provider user agent extension fixed. #47
Maintenance
1.3.3 – 2017-12-05
Bugfixes
Remove use of attrs functionality deprecated in 17.3.0 #29
Maintenance
Blacklisted pytest 3.3.0 #32 pytest-dev/pytest#2957
1.3.2 – 2017-09-28
Addressed issue #13 to properly handle non-seekable source streams.
1.3.1 – 2017-09-12
Reorganization
Moved source into
src
.Moved examples into
examples
.Broke out
internal.crypto
into smaller, feature-oriented, modules.
Tooling
Maintenance
Updated
internal.crypto.authentication.Verifier
to usePrehashed
.Addressed docstring issue #7.
Addressed docstring issue #8.
Addressed logging issue #10.
Addressed assorted linting issues to bring source, tests, examples, and docs up to configured linting standards.
1.3.0 – 2017-08-04
Major
Added cryptographic materials managers as a concept
Added data key caching
Moved to deterministic IV generation
Minor
Added changelog
Fixed attrs usage to provide consistent behavior with 16.3.0 and 17.x
Fixed performance bug which caused KDF calculations to be performed too frequently
Removed
line_length
as a configurable parameter ofEncryptingStream
andDecryptingStream
objects to simplify class APIs after it was found in further testing to have no measurable impact on performanceAdded deterministic length eliptic curve signature generation
Added support for calculating ciphertext message length from header
Migrated README from md to rst
1.2.2 – 2017-05-23
Fixed
attrs
version to 16.3.0 to avoid breaking changes in attrs 17.1.0
1.2.0 – 2017-03-21
Initial public release