public class EncryptedFileTransferManager extends AbstractFileTransferManager
It provides APIs to upload and download single or multiple files in a simple but efficient manner with high throughput.
The utility uses multiple threads to upload simultaneously multiple segments for a large file upload. It manages the required resources such as connections to the cloud service and threads.
Client-side Encryption
The FTM API uses a technique called "envelope encryption" for client-side transparent data encryption.
For every object upload operation, a unique symmetric key is generated by the API for every stored Object. This symmetric key is used to encrypt object content. This object encryption key is then encrypted with the user provided master key (RSA key pair of 2048 bit size). This encrypted key is stored alongside the object data (in the form of object custom meta-data). This encrypted key is known as the envelope key.
When retrieving the object data using this API, the envelope key is retrieved first and decrypted using the private key part of the master key (specified during upload operation) to obtain the original object encryption key. This object encryption key is then used to decrypt and retrieve the original object content.
The user provided master key pair is generated and managed by the user. (Note: For uploading an object, only public key part is required. While for downloading, only private key part of the key-pair is required.) The object encryption key is managed by the API transparently.
The API supports rotating the master key. When key rotation is requested for an object, the API will retrieve the object's current envelop key, decrypt it using provided old private key of the original master key, then re-encrypt it using the new master key.
Exceptions
The methods in this interface may throw following exceptions:
ClientException
- if the client API failed to process the request or the response from the server.ServiceException
- if the storage cloud service returned an error or unexpected response.InvalidContainerName
if the container name is invalidInvalidObjectName
if the object name is invalidDecryptionFailed
if the object content could not be decrypted. Verify the encryption key and retry the operation.Modifier and Type | Method and Description |
---|---|
static EncryptedFileTransferManager |
getDefaultFileTransferManager(FileTransferAuth fileTransferAuth, FileTransferManagerConfig managerConfig)
Factory method to create
EncryptedFileTransferManager object. |
void |
rotateKey(String containerName, String objectName, PrivateKey oldPrivKey)
Rotates the RSA (master) key used for encryption of envelop key of the object.
|
containerExists, copyObject, copyObject, createContainer, createContainer, createSSEEnabledContainer, deleteContainer, deleteObject, deleteObjects, download, downloadAsync, downloadDirectory, downloadDirectoryAsync, downloadMultipleFiles, downloadMultipleFilesAsync, downloadStream, forceDeleteContainer, getAccount, getApiVersion, getContainer, getContainerReplicationPolicy, getFileTransferManagerConfig, getManagementThreadPool, getObject, getObjectRestoreJob, getReplicationPolicies, getRequestCount, getSession, getThreadPool, listContainers, listContainers, listObjects, listObjects, objectExists, restoreObject, setContainerReplicationPolicy, setFileTransferAuth, setFileTransferManagerConfig, setObjectMetadata, shutdown, shutdownNow, updateAccountMetadata, updateContainerMetadata, updateObjectMetadata, upload, uploadAsync, uploadDirectory, uploadDirectoryAsync, uploadMultipleFiles, uploadMultipleFilesAsync, uploadSegmentedStream, uploadStream
public static EncryptedFileTransferManager getDefaultFileTransferManager(FileTransferAuth fileTransferAuth, FileTransferManagerConfig managerConfig) throws ClientException, ServiceException
EncryptedFileTransferManager
object.
This returns a singleton instance of this class.
fileTransferAuth
- Authentication credentials for transfer.managerConfig
- Configuration information for the transfer manager. It must contain a valid RSA key pair. The key pair must contain at least either private or public key.InvalidEncryptionKeyException
- If the managerConfig param is missing, or it does not contain a valid key pair.ClientException
ServiceException
public void rotateKey(String containerName, String objectName, PrivateKey oldPrivKey)
The specified old private key is used to decrypt the current envelope key and then a new envelope key is generated by re-encrypting the object encryption key using the master key specified by the KeyPair property of the EncryptedFileTransferManager
's configuration.
The dynamic large objects (DLO) are not supported by this API.
Note: For key rotation, the new key pair specified by the FileTransferManagerConfig
object (while creating the EncryptedFileTransferManager
object) must contain both public and private key part of the key pair.
containerName
- container nameobjectName
- object nameoldPrivKey
- Private key of old RSA key pair that was used to encrypt the encryption key of the object.DecryptionFailed
- if the old private key fails to decrypt the current envelop key. Verify the encryption key and retry the operation.InvalidEncryptionKeyException
- if the KeyPair specified by the FileTransferManagerConfig
object does not contain both public and private keyIllegalArgumentException
- if the specified old private key is null.ObjectNotEncrypted
- if the specified object is not encrypted.UnsupportedObjectType
- if the specified object type is not supported.