### Manual .NET SDK Installation on M1 Macs Source: https://github.com/aws/aws-encryption-sdk/wiki/Using-the-AWS-Encryption-SDK-for-.NET-on-macOS Manually install the x86_64 .NET SDK on M1 Macs by downloading the .pkg file from Microsoft if Homebrew installation is not feasible. ```bash # Make sure to download the OSX x64 distribution arch -x86_64 /usr/sbin/installer -pkg ~/Downloads/dotnet-runtime-VERSION-osx-x64.pkg -target / ``` -------------------------------- ### Install and Run Benchmark Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/javascript/browser/README.md Install dependencies and run the benchmark. Use the --quick flag for faster testing with reduced iterations. ```bash npm install node src/launcher.js node src/launcher.js --quick ``` -------------------------------- ### Install Dependencies and Run Benchmark Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/python/README.md Installs necessary dependencies and runs the benchmark. Use the --quick flag for reduced iterations. ```bash pip install -r requirements.txt ``` ```bash python esdk_benchmark.py ``` ```bash python esdk_benchmark.py --quick ``` -------------------------------- ### Install and Run Node.js Benchmark Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/javascript/node/README.md Install dependencies and run the benchmark suite. Use the --quick flag for faster testing with reduced iterations. ```bash # Install dependencies npm install # Run benchmark node src/main.js # Quick test (reduced iterations) node src/main.js --quick ``` -------------------------------- ### Install Dependencies on Linux Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/c/README.md Installs necessary dependencies for the benchmark suite on Linux using apt. ```bash sudo apt-get install libyaml-dev libjson-c-dev ``` -------------------------------- ### Install OpenSSL and .NET SDK for x86-64 on M1 Macs Source: https://github.com/aws/aws-encryption-sdk/wiki/Using-the-AWS-Encryption-SDK-for-.NET-on-macOS Install OpenSSL 1.1 and the x86_64 .NET SDK using the x86_64 Homebrew installation on M1 Macs. ```bash $ arch -x86_64 /usr/local/homebrew/bin/brew install openssl@1.1/lib # This .NET SDK installation will coexist with the native installation, but in a separate directory $ arch -x86_64 /usr/local/homebrew/bin/brew install dotnet-sdk ``` -------------------------------- ### Run Rust Example Tests Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/src/README.md Verify that the examples provided with the AWS Encryption SDK for Rust are up to date. This command requires internet access and valid AWS credentials. ```bash cd AwsEncryptionSDK/runtimes/rust/ cargo test --examples ``` -------------------------------- ### Install OpenSSL 1.1 on Intel Macs Source: https://github.com/aws/aws-encryption-sdk/wiki/Using-the-AWS-Encryption-SDK-for-.NET-on-macOS Install OpenSSL 1.1 on Intel-based Macs using Homebrew. ```bash $ brew install openssl@1.1 ``` -------------------------------- ### Install Dependencies on macOS Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/c/README.md Installs necessary dependencies for the benchmark suite on macOS using Homebrew. ```bash brew install libyaml json-c ``` -------------------------------- ### Run Example Tests for AWS Encryption SDK Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/net/README.md Execute tests on the examples to ensure they are up-to-date. This requires internet access and valid AWS credentials for KMS calls. ```shell cd AwsEncryptionSDK/runtimes/net dotnet test Examples ``` -------------------------------- ### Alternative x86-64 Homebrew Installation using Bash Source: https://github.com/aws/aws-encryption-sdk/wiki/Using-the-AWS-Encryption-SDK-for-.NET-on-macOS An alternative method to create an x86_64 Homebrew installation using bash if zsh is not preferred or available. ```bash $ arch -x86_64 bash $ curl -O https://github.com/Homebrew/brew/tarball/master $ cat master | tar xz --strip 1 $ cd homebrew ``` -------------------------------- ### Install Rosetta on M1 Macs Source: https://github.com/aws/aws-encryption-sdk/wiki/Using-the-AWS-Encryption-SDK-for-.NET-on-macOS Install Rosetta (x86-64 emulation) if it's not already installed on Apple M1-based Macs. ```bash $ /usr/sbin/softwareupdate --install-rosetta ``` -------------------------------- ### Example Testing Function in Rust Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/releases/rust/esdk/examples/README.md Each example file must contain a testing function with the `#[tokio::test(flavor = "multi_thread")]` attribute. This ensures the example is properly tested in the CI environment. ```rust #[tokio::test(flavor = "multi_thread")] async fn my_example_test() { // Example test logic here } ``` -------------------------------- ### Install Duvet Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/README.md Installs the Duvet tool using cargo, the Rust package manager. Requires a stable Rust toolchain. ```bash cargo +stable install duvet ``` -------------------------------- ### Create x86-64 Homebrew Installation on M1 Macs Source: https://github.com/aws/aws-encryption-sdk/wiki/Using-the-AWS-Encryption-SDK-for-.NET-on-macOS Create a separate Homebrew installation for x86_64 architecture on M1 Macs. This is necessary for running x86-64 native applications. ```bash $ arch -x86_64 zsh $ cd /usr/local $ mkdir homebrew $ curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew ``` -------------------------------- ### Rust Example: Set Encryption Algorithm Suite Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Shows how to specify a particular algorithm suite for encryption operations using the AWS Encryption SDK for Rust. This allows control over the cryptographic algorithms used. ```rust use aws_encryption_sdk::kms_keyring::KmsKeyring; use aws_encryption_sdk::CommitmentPolicy; use aws_encryption_sdk::{Client, EncryptionSdk}; use aws_encryption_sdk::algos::AlgorithmSuite; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); let keyring = KmsKeyring::new(None, None).await?; let plaintext = b"This is my secret data."; // Encrypt the data using a specific algorithm suite. let ciphertext = encryption_sdk .encrypt_with_suite(keyring.clone(), plaintext, AlgorithmSuite::Aes256GcmRawRsaKeyWrap) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Rust Example: Reproduce AWS KMS Master Key Provider Behavior Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Shows how to configure a multi-keyring in the AWS Encryption SDK for Rust to mimic the behavior of an AWS KMS master key provider. This is useful for migrating existing applications or ensuring compatibility. ```rust use aws_encryption_sdk::kms_keyring::KmsMultiKeyring; use aws_encryption_sdk::{Client, EncryptionSdk}; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); // Use a multi-keyring to reproduce master key provider behavior. let keyring = KmsMultiKeyring::builder() .add_kms_key("arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab") .build() .await?; let plaintext = b"This is my secret data."; // Encrypt the data. let ciphertext = encryption_sdk .encrypt(keyring.clone(), plaintext) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Rust Example: Combine AWS KMS with Offline Escrow Key Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Demonstrates combining AWS KMS with an offline escrow key using a multi-keyring in the AWS Encryption SDK for Rust. This provides both cloud-based key management and an offline backup. ```rust use aws_encryption_sdk::kms_keyring::KmsKeyring; use aws_encryption_sdk::raw_keyring::RawAesKeyring; use aws_encryption_sdk::multi_keyring::MultiKeyring; use aws_encryption_sdk::{Client, EncryptionSdk}; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); // Combine AWS KMS with an offline escrow key. let kms_keyring = KmsKeyring::new(None, None).await?; let escrow_keyring = RawAesKeyring::new(b"this is a 32 byte key for aes256", None)?; let keyring = MultiKeyring::builder() .add_encrypted_data_key_keyring(kms_keyring) .add_encrypted_data_key_keyring(escrow_keyring) .build()?; let plaintext = b"This is my secret data."; // Encrypt the data. let ciphertext = encryption_sdk .encrypt(keyring.clone(), plaintext) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Rust Example: Use Raw RSA Wrapping Key Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Shows how to use a raw RSA key for wrapping data keys with the AWS Encryption SDK for Rust. This provides an option for asymmetric key management. ```rust use aws_encryption_sdk::raw_keyring::RawRsaKeyring; use aws_encryption_sdk::{Client, EncryptionSdk}; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); // Use a raw RSA key for wrapping. let keyring = RawRsaKeyring::new(include_bytes!("../testdata/rsa.public.pem"), include_bytes!("../testdata/rsa.private.pkcs8"))?; let plaintext = b"This is my secret data."; // Encrypt the data. let ciphertext = encryption_sdk .encrypt(keyring.clone(), plaintext) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Rust Example: Use Raw AES Wrapping Key Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Demonstrates using a raw AES key for wrapping data keys with the AWS Encryption SDK for Rust. This is an alternative to using AWS KMS for key management. ```rust use aws_encryption_sdk::raw_keyring::RawAesKeyring; use aws_encryption_sdk::{Client, EncryptionSdk}; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); // Use a raw AES key for wrapping. let keyring = RawAesKeyring::new(b"this is a 32 byte key for aes256", None)?; let plaintext = b"This is my secret data."; // Encrypt the data. let ciphertext = encryption_sdk .encrypt(keyring.clone(), plaintext) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Module Declaration in Rust Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/releases/rust/esdk/examples/README.md Example modules must be declared in the appropriate `mod.rs` files according to the directory structure. For examples in the root `examples/` directory, also add the module to `main.rs`. ```rust pub mod set_commitment_policy_example; ``` -------------------------------- ### Rust Example: Encrypt and Decrypt Data Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Demonstrates the basic encryption and decryption APIs of the AWS Encryption SDK for Rust. This is useful for in-memory data protection. ```rust use aws_encryption_sdk::kms_keyring::KmsKeyring; use aws_encryption_sdk::{Client, EncryptionSdk}; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); let keyring = KmsKeyring::new(None, None).await?; let plaintext = b"This is my secret data."; // Encrypt the data. let ciphertext = encryption_sdk .encrypt(keyring.clone(), plaintext) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Rust Example: Decrypt with Preferred Region and Failover Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Demonstrates configuring a keyring in the AWS Encryption SDK for Rust to prefer a specific AWS region for decryption but allow failover to other regions if the preferred one is unavailable. This improves availability. ```rust use aws_encryption_sdk::kms_keyring::KmsMrkDiscoveryMultiKeyring; use aws_encryption_sdk::{Client, EncryptionSdk}; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); // Use a multi-region discovery keyring with a preferred region. let keyring = KmsMrkDiscoveryMultiKeyring::builder() .add_kms_key("arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab") .add_kms_key("arn:aws:kms:us-west-2:111122223333:key/abcdefgh-12ab-34cd-56ef-1234567890ab") .preferred_region("us-east-1") .build() .await?; let plaintext = b"This is my secret data."; // Encrypt the data. let ciphertext = encryption_sdk .encrypt(keyring.clone(), plaintext) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Rust Example: Set Commitment Policy Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Demonstrates how to configure the commitment policy for encryption operations in the AWS Encryption SDK for Rust. This affects how integrity is ensured during decryption. ```rust use aws_encryption_sdk::kms_keyring::KmsKeyring; use aws_encryption_sdk::CommitmentPolicy; use aws_encryption_sdk::{Client, EncryptionSdk}; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); let keyring = KmsKeyring::new(None, None).await?; let plaintext = b"This is my secret data."; // Encrypt the data using a specific commitment policy. let ciphertext = encryption_sdk .encrypt_with_commitment_policy(keyring.clone(), plaintext, CommitmentPolicy::ForbidEncryptNew) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Rust Example: Custom Client Supplier for Regional Roles Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Demonstrates creating a custom Client Supplier in the AWS Encryption SDK for Rust to assume different IAM roles for different AWS regions. This allows fine-grained control over AWS KMS client credentials. ```rust use aws_encryption_sdk::client_supplier::ClientSupplier; use aws_encryption_sdk::kms_client::KmsClient; use aws_encryption_sdk::{Client, EncryptionSdk}; use std::sync::Arc; struct RegionalRoleClientSupplier { // ... configuration for roles and regions ... } impl ClientSupplier for RegionalRoleClientSupplier { fn get_kms_client(&self, region: &str) -> Arc { // Logic to create and return a KmsClient for the specified region, potentially assuming a role. unimplemented!(); } } #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); // Use a custom client supplier for regional roles. let client_supplier = RegionalRoleClientSupplier { /* ... */ }; let keyring = aws_encryption_sdk::kms_keyring::KmsKeyring::builder() .client_supplier(client_supplier) .build() .await?; let plaintext = b"This is my secret data."; // Encrypt the data. let ciphertext = encryption_sdk .encrypt(keyring.clone(), plaintext) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Rust Example: Use One AWS KMS Key Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Demonstrates using a single AWS KMS key for encryption and decryption with the AWS Encryption SDK for Rust. This is a common scenario for protecting data within a specific AWS account and region. ```rust use aws_encryption_sdk::kms_keyring::KmsKeyring; use aws_encryption_sdk::{Client, EncryptionSdk}; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); // Use a specific AWS KMS Key ARN. let keyring = KmsKeyring::builder() .add_kms_key("arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab") .build() .await?; let plaintext = b"This is my secret data."; // Encrypt the data. let ciphertext = encryption_sdk .encrypt(keyring.clone(), plaintext) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Rust Example: Use Multiple AWS KMS Keys in Different Regions Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Shows how to configure the AWS Encryption SDK for Rust to use multiple AWS KMS keys located in different AWS regions. This is useful for multi-region resilience and access control. ```rust use aws_encryption_sdk::kms_keyring::KmsMrkDiscoveryMultiKeyring; use aws_encryption_sdk::{Client, EncryptionSdk}; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); // Use multiple AWS KMS keys in different regions. let keyring = KmsMrkDiscoveryMultiKeyring::builder() .add_kms_key("arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab") .add_kms_key("arn:aws:kms:us-west-2:111122223333:key/abcdefgh-12ab-34cd-56ef-1234567890ab") .build() .await?; let plaintext = b"This is my secret data."; // Encrypt the data. let ciphertext = encryption_sdk .encrypt(keyring.clone(), plaintext) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Build and Run .NET Benchmark Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/net/README.md Commands to build the .NET project in Release configuration and run the benchmark. Use the --quick flag for reduced iterations. ```bash dotnet build --configuration Release ``` ```bash dotnet run --configuration Release ``` ```bash dotnet run --configuration Release -- --quick ``` -------------------------------- ### Run Built Binary (Go) Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/go/README.md Execute the previously built ESDK benchmark binary. Use the --quick flag to run a subset of tests. ```bash ./esdk-benchmark --quick ``` -------------------------------- ### Build and Run AWS Encryption SDK Java Benchmark Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/java/README.md Use these Maven commands to build the project and execute the performance benchmarks. The `--quick` argument reduces iterations for faster testing. ```bash mvn clean compile ``` ```bash mvn exec:java -Dexec.mainClass="com.amazon.esdk.benchmark.Program" ``` ```bash mvn exec:java -Dexec.mainClass="com.amazon.esdk.benchmark.Program" -Dexec.args="--quick" ``` -------------------------------- ### Build and Run Benchmark Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/rust/README.md Build and execute the Rust benchmark suite. Ensure the ESDK is built and the configuration file is correctly specified. ```bash cd ../../../AwsEncryptionSDK/ make polymorph_rust transpile_rust cd ../esdk-performance-testing/benchmarks/rust/ cargo run --release -- --config ../../config/test-scenarios.yaml ``` -------------------------------- ### Run Quick Benchmark (Go) Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/go/README.md Execute a quick benchmark run using the Go SDK. This mode runs a subset of tests with reduced iterations and data sizes. ```bash go run . --config ../../config/test-scenarios.yaml --quick ``` -------------------------------- ### Run Full Benchmark (Go) Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/go/README.md Execute a full benchmark run using the Go SDK. This mode runs all configured tests without the quick mode optimizations. ```bash go run . --config ../../config/test-scenarios.yaml ``` -------------------------------- ### Build Release Binary (Go) Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/go/README.md Compile the ESDK benchmark suite into a release binary. This is useful for running benchmarks after building. ```bash go build -o esdk-benchmark . ``` -------------------------------- ### Quick Test Benchmark Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/rust/README.md Run a quick test of the benchmark suite, which requires a 'quick_config' section in the YAML configuration file. ```bash cargo run --release -- --quick ``` -------------------------------- ### Run Full Benchmark Suite Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/c/README.md Executes the complete set of performance benchmarks for the AWS Encryption SDK for C. ```bash ./esdk_benchmark ``` -------------------------------- ### Build Benchmark Suite Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/c/README.md Builds the AWS Encryption SDK for C benchmark suite, including dependencies. ```bash ./build.sh ``` -------------------------------- ### Rust Example: Limit Encrypted Data Keys (EDKs) Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Illustrates how to limit the number of encrypted data keys (EDKs) generated during encryption with the AWS Encryption SDK for Rust. This can be useful for controlling the size of the ciphertext. ```rust use aws_encryption_sdk::kms_keyring::KmsKeyring; use aws_encryption_sdk::{Client, EncryptionSdk}; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); let keyring = KmsKeyring::new(None, None).await?; let plaintext = b"This is my secret data."; // Encrypt the data, limiting the number of EDKs. let ciphertext = encryption_sdk .encrypt_with_max_edks(keyring.clone(), plaintext, 1) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Run Benchmark with Custom Paths Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/c/README.md Executes the benchmark suite using custom configuration and output file paths. ```bash ./esdk_benchmark --config /path/to/config.yaml --output /path/to/results.json ``` -------------------------------- ### Build AWS Encryption SDK for .NET Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/net/README.md These commands outline the steps to transpile Dafny to .NET, set up dependencies, and build the SDK. ```shell # Transpile Dafny to .NET cd AwsEncryptionSDK make transpile_implementation_net # Run dotnet restore make setup_net # Run dotnet build dotnet build runtimes/net ``` -------------------------------- ### Running .NET Applications on Intel Macs Source: https://github.com/aws/aws-encryption-sdk/wiki/Using-the-AWS-Encryption-SDK-for-.NET-on-macOS Configure the dynamic linker path when running .NET applications on Intel-based Macs. ```bash $ export DYLD_LIBRARY_PATH="/usr/local/opt/openssl@1.1/lib" $ dotnet run [ARGS...] ``` -------------------------------- ### Rust Example: Limit Decryption to a Single Region Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Shows how to restrict decryption operations to a specific AWS region when using discovery keyrings with the AWS Encryption SDK for Rust. This enhances security by limiting the scope of KMS key usage. ```rust use aws_encryption_sdk::kms_keyring::KmsMrkDiscoveryKeyring; use aws_encryption_sdk::{Client, EncryptionSdk}; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); // Use a discovery keyring, but limit to a specific region. let keyring = KmsMrkDiscoveryKeyring::builder() .region("us-east-1") .build() .await?; let plaintext = b"This is my secret data."; // Encrypt the data. let ciphertext = encryption_sdk .encrypt(keyring.clone(), plaintext) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Running .NET Applications on M1 Macs Source: https://github.com/aws/aws-encryption-sdk/wiki/Using-the-AWS-Encryption-SDK-for-.NET-on-macOS Configure the dynamic linker path and specify the x64 architecture when running .NET applications on M1 Macs. ```bash $ export DYLD_LIBRARY_PATH="/usr/local/homebrew/opt/openssl@1.1/lib" $ dotnet run -a x64 [ARGS...] ``` -------------------------------- ### Rust Example: Restrict Algorithm Suite with Custom CMM Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Shows how to restrict encryption operations to a specific algorithm suite using a custom Cryptographic Materials Manager (CMM) in the AWS Encryption SDK for Rust. This enforces specific cryptographic standards. ```rust use aws_encryption_sdk::kms_keyring::KmsKeyring; use aws_encryption_sdk::algos::AlgorithmSuite; use aws_encryption_sdk::custom_kms_client::CustomKmsClient; use aws_encryption_sdk::cryptographic_materials_manager::CryptographicMaterialsManager; use aws_encryption_sdk::{Client, EncryptionSdk}; struct SigningSuiteOnlyCmm { suite: AlgorithmSuite, } impl CryptographicMaterialsManager for SigningSuiteOnlyCmm { // ... implementation details ... fn get_ பொருட்களை(&self, _ctx: &aws_encryption_sdk::EncryptionContext) -> Result { unimplemented!(); } fn get_wrapping_key(&self, _ctx: &aws_encryption_sdk::EncryptionContext, _wrapped_key_material: &aws_encryption_sdk::WrappedKeyMaterial) -> Result { unimplemented!(); } fn on_encrypt(&self, _ctx: &aws_encryption_sdk::EncryptionContext, _plaintext_len: u64) -> Result { unimplemented!(); } fn on_decrypt(&self, _ctx: &aws_encryption_sdk::EncryptionContext, _ciphertext_data_keys: &aws_encryption_sdk::EncryptedDataKeys) -> Result { unimplemented!(); } } #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); let keyring = KmsKeyring::new(None, None).await?; let plaintext = b"This is my secret data."; // Encrypt the data using a custom CMM that restricts the algorithm suite. let ciphertext = encryption_sdk .encrypt_with_custom_cmm(keyring.clone(), plaintext, SigningSuiteOnlyCmm { suite: AlgorithmSuite::Aes256GcmRawRsaKeyWrap }) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Use Raw AES Wrapping Key Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/go/examples/README.md Demonstrates how to use a raw AES key for wrapping data keys. This is an alternative to using AWS KMS and requires managing the AES key securely. ```go package main import ( "context" "crypto/rand" "fmt" "log" "github.com/aws/aws-encryption-sdk-go/pkg/awsenc" "github.com/aws/aws-encryption-sdk-go/pkg/model" "github.com/aws/aws-encryption-sdk-go/pkg/rawaeskeyring" ) func main() { // Generate a random 256-bit AES key for wrapping wrappingKey := make([]byte, 32) if _, err := rand.Read(wrappingKey); err != nil { log.Fatalf("Failed to generate wrapping key: %v", err) } // Create a Raw AES Keyring keyring, err := rawaeskeyring.New(wrappingKey) if err != nil { log.Fatalf("Failed to create Raw AES keyring: %v", err) } // Data to encrypt plaintext := []byte("This message is encrypted with a raw AES key.") // Encrypt the data encryptedData, err := awsenc.Encrypt(context.TODO(), plaintext, model.WithKeyring(keyring)) if err != nil { log.Fatalf("Encryption failed: %v", err) } fmt.Printf("Encrypted data: %x\n", encryptedData.Plaintext()) // Decrypt the data decryptedData, err := awsenc.Decrypt(context.TODO(), encryptedData, model.WithKeyring(keyring)) if err != nil { log.Fatalf("Decryption failed: %v", err) } fmt.Printf("Decrypted data: %s\n", decryptedData.Plaintext()) } ``` -------------------------------- ### Use Raw RSA Wrapping Key Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/go/examples/README.md Demonstrates how to use a raw RSA key for wrapping data keys. This is an alternative to using AWS KMS and requires managing the RSA key securely. Ensure you use appropriate key sizes. ```go package main import ( "context" "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" "log" "github.com/aws/aws-encryption-sdk-go/pkg/awsenc" "github.com/aws/aws-encryption-sdk-go/pkg/model" "github.com/aws/aws-encryption-sdk-go/pkg/rawrsakeyring" ) func main() { // Generate a new RSA private key (e.g., 2048 bits) privateKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { log.Fatalf("Failed to generate RSA private key: %v", err) } // Create a Raw RSA Keyring using the private key keyring, err := rawrsakeyring.New(privateKey) if err != nil { log.Fatalf("Failed to create Raw RSA keyring: %v", err) } // Data to encrypt plaintext := []byte("This message is encrypted with a raw RSA key.") // Encrypt the data encryptedData, err := awsenc.Encrypt(context.TODO(), plaintext, model.WithKeyring(keyring)) if err != nil { log.Fatalf("Encryption failed: %v", err) } fmt.Printf("Encrypted data: %x\n", encryptedData.Plaintext()) // Decrypt the data decryptedData, err := awsenc.Decrypt(context.TODO(), encryptedData, model.WithKeyring(keyring)) if err != nil { log.Fatalf("Decryption failed: %v", err) } fmt.Printf("Decrypted data: %s\n", decryptedData.Plaintext()) } ``` -------------------------------- ### Rust Example: Decrypt Without Knowing AWS KMS Key Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/examples/README.md Demonstrates how to decrypt data when the specific AWS KMS key used for encryption is unknown, leveraging discovery features of the AWS Encryption SDK for Rust. This is useful when the key identifier is not readily available. ```rust use aws_encryption_sdk::kms_keyring::KmsMrkDiscoveryKeyring; use aws_encryption_sdk::{Client, EncryptionSdk}; #[tokio::main] async fn main() -> Result<(), Box> { let encryption_sdk = Client::new(); // Use a discovery keyring to find the KMS key. let keyring = KmsMrkDiscoveryKeyring::builder() .build() .await?; let plaintext = b"This is my secret data."; // Encrypt the data. let ciphertext = encryption_sdk .encrypt(keyring.clone(), plaintext) .await?; // Decrypt the data. let decrypted_plaintext = encryption_sdk .decrypt(keyring, &ciphertext) .await?; assert_eq!(plaintext, decrypted_plaintext.as_ref()); Ok(()) } ``` -------------------------------- ### Run Tests Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/rust/README.md Execute the unit and integration tests for the Rust benchmark suite. ```bash cargo test ``` -------------------------------- ### Build AWS Encryption SDK for Rust Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/rust/src/README.md Run these commands to set up your project for use with the AWS Encryption SDK in Rust. Ensure you have the latest Dafny on your PATH and have fetched all submodules. ```bash cd AwsEncryptionSDK # Polymorph smithy to Rust make polymorph_rust # Transpile Dafny to Rust make transpile_rust ``` -------------------------------- ### Reproduce AWS KMS Master Key Provider Behavior Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/go/examples/README.md Demonstrates how to configure the AWS Encryption SDK to mimic the behavior of an AWS KMS master key provider. This is useful for compatibility and migration scenarios. ```go package main import ( "context" "fmt" "log" "github.com/aws/aws-encryption-sdk-go/pkg/awsenc" "github.com/aws/aws-encryption-sdk-go/pkg/kmskeyring" "github.com/aws/aws-encryption-sdk-go/pkg/model" ) func main() { // Replace with your AWS KMS Key ARN keyARN := "arn:aws:kms:us-east-1:111122223333:key/12345678-1234-1234-1234-123456789012" // Create a KMS Keyring that reproduces the behavior of a master key provider keyring, err := kmskeyring.New(keyARN) if err != nil { log.Fatalf("Failed to create KMS keyring: %v", err) } // Data to encrypt plaintext := []byte("This message is encrypted to reproduce KMS master key provider behavior.") // Encrypt the data encryptedData, err := awsenc.Encrypt(context.TODO(), plaintext, model.WithKeyring(keyring)) if err != nil { log.Fatalf("Encryption failed: %v", err) } fmt.Printf("Encrypted data: %x\n", encryptedData.Plaintext()) // Decrypt the data decryptedData, err := awsenc.Decrypt(context.TODO(), encryptedData, model.WithKeyring(keyring)) if err != nil { log.Fatalf("Decryption failed: %v", err) } fmt.Printf("Decrypted data: %s\n", decryptedData.Plaintext()) } ``` -------------------------------- ### Run .NET Tests from Directory Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/net/TestVectorsNative/TestVectors/README.md Execute the .NET test suite from the current directory. This command runs all tests defined within the project. ```bash dotnet test ``` -------------------------------- ### Debug Build with Logging Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/rust/README.md Run a debug build of the benchmark executable with detailed logging enabled. This is helpful for diagnosing issues during development. ```bash RUST_LOG=debug ./target/debug/esdk_benchmark --config config.yaml ``` -------------------------------- ### Run Quick Benchmark Test Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/c/README.md Executes a reduced set of benchmark iterations and data sizes for a faster test run. ```bash ./esdk_benchmark --quick ``` -------------------------------- ### Generate Solution File for AWS Encryption SDK Projects Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/net/README.md Generate a solution file for all projects within the AWS Encryption SDK .NET runtime. This helps IDEs recognize the project structure. ```shell cd AwsEncryptionSDK/runtimes/net dotnet new sln --name ESDK dotnet sln add $(find . -name '*.csproj') ``` -------------------------------- ### Custom Client Supplier for AWS KMS Clients Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/go/examples/README.md Demonstrates how to create a custom Client Supplier to configure AWS KMS clients, allowing for tuning of retry and timeout settings, or using different credentials per region. ```go package main import ( "context" "fmt" "log" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-encryption-sdk-go/pkg/awsenc" "github.com/aws/aws-encryption-sdk-go/pkg/clientsupplier" "github.com/aws/aws-encryption-sdk-go/pkg/kmskeyring" "github.com/aws/aws-encryption-sdk-go/pkg/model" ) // CustomClientSupplier demonstrates creating a custom client supplier. // This example assumes you have AWS credentials configured. func main() { // Replace with your AWS KMS Key ARN keyARN := "arn:aws:kms:us-east-1:111122223333:key/12345678-1234-1234-1234-123456789012" // Create a KMS Keyring keyring, err := kmskeyring.New(keyARN) if err != nil { log.Fatalf("Failed to create KMS keyring: %v", err) } // Define a custom client supplier customSupplier := clientsupplier.NewDefaultSupplier(clientsupplier.WithClientConfigFunc(func(region string, cfg aws.Config) (aws.Config, error) { // Example: Modify endpoint or add custom options // cfg.Endpoint = aws.EndpointResolverFunc(func(service, region string) (aws.Endpoint, error) { // return aws.Endpoint{URL: "http://localhost:8080"}, nil // }) fmt.Printf("Creating KMS client for region: %s\n", region) return cfg, nil })) // Create a KMS Client Supplier with the custom supplier kmsClientSupplier := clientsupplier.NewKMSClientSupplier(customSupplier) // Data to encrypt plaintext := []byte("This message is encrypted using a custom KMS client supplier.") // Encrypt the data using the custom KMS client supplier encryptedData, err := awsenc.Encrypt(context.TODO(), plaintext, model.WithKeyring(keyring), model.WithKMSClientSupplier(kmsClientSupplier)) if err != nil { log.Fatalf("Encryption failed: %v", err) } fmt.Printf("Encrypted data: %x\n", encryptedData.Plaintext()) // Decrypt the data using the custom KMS client supplier decryptedData, err := awsenc.Decrypt(context.TODO(), encryptedData, model.WithKeyring(keyring), model.WithKMSClientSupplier(kmsClientSupplier)) if err != nil { log.Fatalf("Decryption failed: %v", err) } fmt.Printf("Decrypted data: %s\n", decryptedData.Plaintext()) } ``` -------------------------------- ### Restrict Algorithm Suites with Custom CMM Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/go/examples/README.md Demonstrates how to create a custom Cryptographic Materials Manager (CMM) to enforce specific algorithm suites, such as signing-only suites, during encryption. ```go package main import ( "context" "fmt" "log" "github.com/aws/aws-encryption-sdk-go/pkg/awsenc" "github.com/aws/aws-encryption-sdk-go/pkg/kmskeyring" "github.com/aws/aws-encryption-sdk-go/pkg/model" "github.com/aws/aws-encryption-sdk-go/pkg/model/cmm" "github.com/aws/aws-encryption-sdk-go/pkg/suite" ) // SigningSuiteOnlyCMM is a custom CMM that only allows signing algorithm suites. type SigningSuiteOnlyCMM struct { *cmm.SimpleMaterialsManager } // NewSigningSuiteOnlyCMM creates a new SigningSuiteOnlyCMM. func NewSigningSuiteOnlyCMM(keyring model.Keyring) *SigningSuiteOnlyCMM { return &SigningSuiteOnlyCMM{SimpleMaterialsManager: cmm.NewSimpleMaterialsManager(keyring)} } // NewEncryptionMaterials implements the CMM interface. func (c *SigningSuiteOnlyCMM) NewEncryptionMaterials(ctx context.Context, materialReqs model.EncryptionMaterialsRequest) (model.EncryptionMaterials, error) { // Enforce that only signing algorithm suites are allowed for encryption. materialReqs.AllowedAlgorithmSuites = suite.GetSigningSuiteIDs() return c.SimpleMaterialsManager.NewEncryptionMaterials(ctx, materialReqs) } func main() { // Replace with your AWS KMS Key ARN keyARN := "arn:aws:kms:us-east-1:111122223333:key/12345678-1234-1234-1234-123456789012" // Create a KMS Keyring keyring, err := kmskeyring.New(keyARN) if err != nil { log.Fatalf("Failed to create KMS keyring: %v", err) } // Create a custom CMM that restricts to signing algorithm suites cryptographicMaterialsManager := NewSigningSuiteOnlyCMM(keyring) // Data to encrypt plaintext := []byte("This message will be signed using a signing-only suite.") // Encrypt the data // This will fail if the selected algorithm suite is not a signing suite. encryptedData, err := awsenc.Encrypt(context.TODO(), plaintext, model.WithMaterialsManager(cryptographicMaterialsManager)) if err != nil { log.Fatalf("Encryption failed: %v", err) } fmt.Printf("Encrypted data: %x\n", encryptedData.Plaintext()) // Decrypt the data // Decryption will work with the same CMM, as it allows decryption for signing suites. decryptedData, err := awsenc.Decrypt(context.TODO(), encryptedData, model.WithMaterialsManager(cryptographicMaterialsManager)) if err != nil { log.Fatalf("Decryption failed: %v", err) } fmt.Printf("Decrypted data: %s\n", decryptedData.Plaintext()) } ``` -------------------------------- ### Change Algorithm Suite with AWS Encryption SDK for Go Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/go/examples/README.md Demonstrates how to specify a particular algorithm suite for encryption and decryption operations. This is useful for enforcing specific cryptographic standards. ```go package main import ( "context" "fmt" "log" "github.com/aws/aws-encryption-sdk-go/pkg/awsenc" "github.com/aws/aws-encryption-sdk-go/pkg/kmskeyring" "github.com/aws/aws-encryption-sdk-go/pkg/model" "github.com/aws/aws-encryption-sdk-go/pkg/suite" ) func main() { // Replace with your AWS KMS Key ARN keyARN := "arn:aws:kms:us-east-1:111122223333:key/12345678-1234-1234-1234-123456789012" // Create a KMS Keyring keyring, err := kmskeyring.New(keyARN) if err != nil { log.Fatalf("Failed to create KMS keyring: %v", err) } // Define the desired algorithm suite algorithmSuite := suite.SYMMETRIC_DEFAULT // Data to encrypt plaintext := []byte("This message uses a specific algorithm suite.") // Encrypt the data with the specified algorithm suite encryptedData, err := awsenc.Encrypt(context.TODO(), plaintext, model.WithKeyring(keyring), model.WithAlgorithmSuite(algorithmSuite)) if err != nil { log.Fatalf("Encryption failed: %v", err) } fmt.Printf("Encrypted data: %x\n", encryptedData.Plaintext()) // Decrypt the data, the SDK will automatically detect the algorithm suite decryptedData, err := awsenc.Decrypt(context.TODO(), encryptedData, model.WithKeyring(keyring)) if err != nil { log.Fatalf("Decryption failed: %v", err) } fmt.Printf("Decrypted data: %s\n", decryptedData.Plaintext()) } ``` -------------------------------- ### Run AWS Encryption SDK Test Suite Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/net/README.md Commands to transpile tests and run the test suite for the AWS Encryption SDK. Use the appropriate command for your operating system. ```shell cd AwsEncryptionSDK make transpile_test_net # Windows/Linux make test_net # On Mac make test_net_mac_brew ``` -------------------------------- ### Build Debug Version Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/esdk-performance-testing/benchmarks/rust/README.md Compile a debug version of the benchmark executable. This is useful for development and debugging purposes. ```bash cargo build ``` -------------------------------- ### Encrypt and Decrypt Data with AWS Encryption SDK for Go Source: https://github.com/aws/aws-encryption-sdk/blob/mainline/AwsEncryptionSDK/runtimes/go/examples/README.md Demonstrates the core encryption and decryption APIs of the AWS Encryption SDK for Go. Ensure you have the necessary AWS credentials and KMS key configured. ```go package main import ( "context" "fmt" "log" "github.com/aws/aws-encryption-sdk-go/pkg/awsenc" "github.com/aws/aws-encryption-sdk-go/pkg/kmskeyring" "github.com/aws/aws-encryption-sdk-go/pkg/model" ) func main() { // Replace with your AWS KMS Key ARN keyARN := "arn:aws:kms:us-east-1:111122223333:key/12345678-1234-1234-1234-123456789012" // Create a KMS Keyring keyring, err := kmskeyring.New(keyARN) if err != nil { log.Fatalf("Failed to create KMS keyring: %v", err) } // Data to encrypt plaintext := []byte("This is a secret message.") // Encrypt the data encryptedData, err := awsenc.Encrypt(context.TODO(), plaintext, model.WithKeyring(keyring)) if err != nil { log.Fatalf("Encryption failed: %v", err) } fmt.Printf("Encrypted data: %x\n", encryptedData.Plaintext()) // Decrypt the data decryptedData, err := awsenc.Decrypt(context.TODO(), encryptedData, model.WithKeyring(keyring)) if err != nil { log.Fatalf("Decryption failed: %v", err) } fmt.Printf("Decrypted data: %s\n", decryptedData.Plaintext()) } ```