Encrypting data with S3cmd

DreamObjects cluster migration

DreamHost is currently in the process of migrating all DreamObjects accounts to a new hardware platform.

Please review this article to identify the cluster your DreamObjects account currently resides on and the features it supports.

How to encrypt your data

S3cmd can encrypt your data while uploading to DreamObjects. To use this functionality, you must first configure your .s3cfg file as shown in this article:

Configuring your .s3cfg file

Open the file in your user's directory.

[server]$ nano ~/.s3cfg

Add the following lines so you can use encryption.  Make sure to create your own password for gpg_passphrase:

check_ssl_certificate = True
check_ssl_hostname = True
gpg_command = /usr/bin/gpg
gpg_decrypt = %(gpg_command)s -d --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
gpg_encrypt = %(gpg_command)s -c --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
gpg_passphrase = yourpassword

Your configuration is now set up to encrypt data.

Encrypting data while uploading

To encrypt your data while uploading, use the -e flag. In the following example, bucket-name is the name of the bucket you're uploading content in to. textfile.txt is the name of the single file you're uploading:

[server]$  s3cmd -e put testfile.txt s3://bucket-name

upload: '/tmp/tmpfile-zFGwbLHMVEINdHh3615n' -> 's3://bucket-name/testfile.txt'  [1 of 1]
 63 of 63   100% in    0s   129.96 B/s  done

To confirm it is encrypted, navigate to the DreamObjects page. Click the View Objects button under your username. A prompt opens for you to view objects in your bucket.

DreamObjects view an object

Click the object, copy the URL, and then paste it into a browser. You'll see the data in the file is encrypted.

DreamObjects view encrypted object

Decrypting a file

When you use s3cmd to download an encrypted file, it's automatically decrypted for you:

[server]$ s3cmd get s3://bucket-name/encrypted-file.txt
download: 's3://bucket-name/encrypted-file.txt' -> './encrypted-file.txt'  [1 of 1]
 70 of 70   100% in    0s   323.19 B/s  done

If you read the contents of the file, you'll see it's no longer encrypted:

[server]$ cat encrypted-file.txt
Testing a file

Signing an S3 URL to provide limited public access

You can manually set an expiration date for a file to be accessed. To do this, you must first convert the date into a Unix Epoch timestamp.

  1. Decide on the date you wish to allow the URL to be signed/accessed until.
  2. Visit Epoch Converter to convert your date to an Epoch Timestamp. It will look like a string of numbers. For example: 1540232086
  3. Run the following command to sign the URL until this timestamp. (Make sure to change the bucket name and file name to your actual information.)
    [server]$ s3cmd signurl s3://my_bucket/my_file.png 1540232086
    http://my-bucket.objects-us-east-1.dream.io/my_file.png?AWSAccessKeyId=DHDPTCQ3WFGHPSS5FAXG&Expires=1540232086&Signature=9nf8f9kG%2FqDa76rmET4R%2FpbtaGM%3D
    This outputs the signed URL.

    Alternatively, you can sign it for 1 week using this format:

    [server]$ s3cmd signurl s3://my_bucket/my_file.png  $(echo "`date +%s` + 3600 * 24 * 7" | bc)
  4. Share this URL so anyone can access that file until the date you have specified.

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?