Guild icon
S3Drive
Community / support / Decrypting AWS AES-GCM encrypted objects
Avatar
gregintheweb 4/11/2024 2:20 PM
Howdy 🙂 Love S3, you do awesome work! One weird issue, on Windows, with S3 E2EE: when I upgraded from 1.7.17 to 1.8.3 all the files no longer decrypt. I checked the key is still present and correct, and it shows in the app. The files and key are still working on multiple android devices. On Windows, the files all download with the correct size, just... encrypted (or that's what it looks like if I open them in a text editor). There are no errors in the log. I tried downgrading to 1.8.2 and 1.8.0+3 without any change in behavior. I tried to downgrade to 1.7 but the app won't let me past the upgrade notice. I tried removing the app, installing, and readding the s3 & E2EE details, with the same result. The log still shows no issues (there are some notices, like e2ee enabled, for example, but no errors. Perhaps it is just me? Happy to try anything if the issue is elsewhere 🙂 Thanks!
Avatar
Avatar
gregintheweb
Howdy 🙂 Love S3, you do awesome work! One weird issue, on Windows, with S3 E2EE: when I upgraded from 1.7.17 to 1.8.3 all the files no longer decrypt. I checked the key is still present and correct, and it shows in the app. The files and key are still working on multiple android devices. On Windows, the files all download with the correct size, just... encrypted (or that's what it looks like if I open them in a text editor). There are no errors in the log. I tried downgrading to 1.8.2 and 1.8.0+3 without any change in behavior. I tried to downgrade to 1.7 but the app won't let me past the upgrade notice. I tried removing the app, installing, and readding the s3 & E2EE details, with the same result. The log still shows no issues (there are some notices, like e2ee enabled, for example, but no errors. Perhaps it is just me? Happy to try anything if the issue is elsewhere 🙂 Thanks!
Tom 4/11/2024 2:46 PM
Hi there, thank you for your feedback. Just a question do you use filename encryption on top of E2E encryption? What's the behavior on 1.8.2 or 1.8.0+3, does it decrypt fine? Does this issue apply only to: "Download" or all other functions? Is this file previewable, if so, can you please try "Preview" within the app or perhaps can you try use "Open" function to open the file externally? What happens if you upload new file using 1.8.3, can you download it back properly? Using "Show info" can you please display the file details (especially Headers?)? Thanks
Image attachment
2:46 PM
Image attachment
Avatar
gregintheweb 4/11/2024 2:47 PM
Hi Tom!
2:49 PM
No, I don't use filename encryption (its just number based file names from photos mainly, no overly long names or anything. The behavior in 1.8.2 or 1.8.0+3 was the same, no luck decrypting, no errors. The issue applies to preview and download. I haven't thought to upload a file, I'll try and grab a screen shot of the file info.
Avatar
Tom 4/11/2024 2:55 PM
I suspect that this may be related to AES-256 GCM encryption, which was deprecated in August 2023 and subsequently removed in March 2024 1.8.0 release.
2:56 PM
It depends for how long you've had E2E enabled. Did you set it up long time ago or just recently?
2:56 PM
"Show info" would certainly help to show us the headers used (as they show encryption type)
Avatar
gregintheweb 4/11/2024 2:56 PM
I think you're right 🙂 The old file has AWS encryption info, the new file does not. I've had E2E setup since early 2023.
2:57 PM
The new upload works just fine. In android as well.
Image attachment
Image attachment
2:58 PM
Ah, the file names don't populate, sorry! The 002.jpg is the old file that doesn't work, the trained.jpeg is the new file that works.
Avatar
Tom 4/11/2024 3:00 PM
Right, sorry, we've had to make this breaking change as that's something which was holding us for quite a while. The challenge is that if you disable the AES-GCM E2E in a 1.7.17 you won't be able to enable the AES-GCM encryption again at least from the app UI (by default Rclone one will be enabled). I would recommend to download all of the files and then reupload them again. If you need to enable the AES-GCM encryption on your desktop it should likely be possible using import JSON (and crafting some fields) - If you need that I can help out here. (edited)
3:01 PM
... perhaps you could export JSON on Android (where encryption still works) and then import it on desktop - this should preserve the AES-GCM setting.
Avatar
gregintheweb 4/11/2024 3:03 PM
Ah, that's why it works in android, makes sense. Sorry, I was typing a story to try and figure out how to make it work on desktop and axed it as it'll be waay easier to just download the files in android and reup them it seems 🙂
3:04 PM
Thanks! Any plans on breaking changes in android in the next couple weeks? no worries, just wondering the time line to grab my files 🙂
Avatar
Tom 4/11/2024 3:09 PM
Just to follow up, if you export JSON from the Android, it will look like: { "bucketName": "bucket", "keyId": "somekey", "applicationKey": "key", "endpoint": "https://something.r2.cloudflarestorage.com/tomek", "region": "us-east-1", "host": "something.r2.cloudflarestorage.com", "port": 443, "useSSL": true, "encryptionKey": "cG90YXRv", "rclonePlaintextKey": false, "filepathEncryptionEnabled": true, "supportVersioning": false } The most important ones for you are: "encryptionKey": "cG90YXRv", "rclonePlaintextKey": false, where it tells app to NOT USE Rclone and then encryptionKey will be your base64 decoded AWS. If you reimport this to desktop (Function available in the Profiles - it's actually paid one, but I would be more than happy to give you free month, so you can handle that). (edited)
Avatar
Avatar
gregintheweb
Thanks! Any plans on breaking changes in android in the next couple weeks? no worries, just wondering the time line to grab my files 🙂
Tom 4/11/2024 3:10 PM
If you haven't updated your Android, then stay with 1.7.17, as 1.8.2 is already released, with 1.8.3 awaiting final Google approval. 1.7.17 will expire end of April.
Avatar
gregintheweb 4/11/2024 3:11 PM
Awesome! Thanks so much for your help!!! 🙂
Tom changed the channel name: Decrypting objects encrypted using deprecated AES-GCM 4/11/2024 6:18 PM
Tom changed the channel name: Decrypting AWS AES-GCM encrypted objects 4/11/2024 6:19 PM
Avatar
Tom 4/11/2024 6:25 PM
One more alternative is to use something that we've implemented in 2022 related to now legacy PhotoSync S3 / Sync for Backblaze B2 projects. This web back-end allows you to access your bucket and decrypt AES-GCM encrypted objects given you provide encryption key: https://web.syncaware.com/ The only challenge might be that it will require CORS settings to be set up. Those from S3Drive would be fine except the domain would mismatch. You can either set them "open" in the S3 admin panel or use this template, but domain would have to be replaced: https://discord.com/channels/1069654792902815845/1217522466981675119/1217537730313977856 from: <AllowedOrigin>https://web.s3drive.app</AllowedOrigin> to: <AllowedOrigin>https://web.syncaware.com</AllowedOrigin>
Image attachment
Sync for S3 web client
Sync for S3 web client. Check out Android: Sync for S3 app to upload your media to cloud
Thumbnail
Avatar
gregintheweb 4/11/2024 7:45 PM
Even more helpful! Thanks so much for everything 🙂
Exported 22 message(s)
Timezone: UTC+0