Amazon S3 Encryption Client 4.0.0 Release -- 2025-12-17

Changelog

4.0.0 (2025-12-17)

⚠ BREAKING CHANGES

• The S3 Encryption Client now requires key committing algorithm suites by default.
  See migration guide from 3.x to 4.x: link

• builder() method has been removed; use builderV4() instead

• builderV4() now defaults to commitmentPolicy (REQUIRE_ENCRYPT_REQUIRE_DECRYPT) and encryptionAlgorithm (ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY)

• Updated expectations for custom implementations of the CryptographicMaterialsManager interface.

  • Custom implementations of the interface's getEncryptionMaterials method MUST set the AlgorithmSuite field on the returned EncryptionMaterials.
    • The provided DefaultCryptoMaterialsManager's getEncryptionMaterials method sets this field from the AlgorithmSuite provided in the EncryptionMaterialsRequest.
    • If the custom implementation wraps the provided DefaultCryptoMaterialsManager.getEncryptionMaterials method, it's likely that no code updates are required. The provided logic has been updated with this change.
  • Custom implementations of the interface's decryptMaterials method MUST set the KeyCommitment field on the returned DecryptionMaterials.
    • The provided DefaultCryptoMaterialsManager's decryptMaterials method sets this field from the KeyCommitment provided in the DecryptMaterialsRequest.
    • If the custom implementation wraps the provided DefaultCryptoMaterialsManager.decryptMaterials method, it's likely that no code updates are required. The provided logic has been updated with this change.

• Updated expectations for custom implementations of the Keyring interface.

  • Custom implementations of the interface's onDecrypt method MUST preserve the KeyCommitment field on the returned DecryptionMaterials.
    • The provided S3Keyring's onDecrypt method (base class for all keyrings including KmsKeyring) preserves this field through the builder pattern when returning updated materials.
    • If the custom implementation wraps the provided S3Keyring.onDecrypt method or uses the builder pattern to return materials, it's likely that no code updates are required. The provided logic has been updated with this change.

Features

• Updates to the S3 Encryption Client (#491) (9d4523e)

Maintenance

• update releaserc (#492) (d423d8d)

Amazon S3 Encryption Client 3.6.0 Release -- 2025-12-16

Changelog

3.6.0 (2025-12-16)

Features

• Updates to the S3 Encryption Client (#489) (2b13cf2)

Maintenance

• Add 's3:HeadObject' action to S3 bucket policies (#488) (c24b358)
• update releaserc (#490) (51d4635)

Amazon S3 Encryption Client 3.5.0 Release -- 2025-10-27

Changelog

3.5.0 (2025-10-27)

Features

• allow raw keyrings to decrypt with multiple wrapping keys (#485) (a78cb52)

Maintenance

• add client specification and Duvet annotations (#481) (1bd8b7a)
• move spec submodule to master, update annotations (#482) (cc9eafc)
• release: skip openjdk11 during release validation (#487) (a210653)
• spec: add spec and Duvet annotations for KmsKeyring (#483) (ab41a57)

Amazon S3 Encryption Client 3.4.0 Release -- 2025-07-30

Changelog

3.4.0 (2025-07-30)

Features

• put object with instruction file configured (#466) (99077dc)
• reEncryptInstructionFile Implementation (#475) (ff66e72)
• reEncryptInstructionFile Implementation (#478) (f7e6fa5)

Fixes

• Revert "feat: reEncryptInstructionFile Implementation (#475)" (#477) (6d45ec5)

Maintenance

• guard against properties conflicts (#479) (793c73b)
• pom: fix scm url (#469) (1bc2ca3)
• release: Migrate release to Central Portal (#468) (da71231)
• validate against legacy wrapping on client but customer passes keyring with no legacy wrapping (#473) (bb898d1)

Amazon S3 Encryption Client 3.3.5 Release -- 2025-05-21

Changelog

3.3.5 (2025-05-21)

Fixes

• determine effective contentLength, account for tagLength on decrypt (#463) (969d721)
• disable low-level Multipart Upload in Async client (#461) (599f941)
• support PutObjectResponse fields (#462) (dec503b)

Maintenance

• Revert "Amazon S3 Encryption Client 3.3.5 Release -- 2025-05-20" (#465) (3f9ac8e)
• update dependency needed for semantic-release (#464) (0fd3b58)

Amazon S3 Encryption Client 3.3.4 Release -- 2025-05-12

Changelog

3.3.4 (2025-05-12)

Fixes

• Add details to error message (#459) (0d32b4a), closes #458
• Support all PutObjectRequest fields (#458) (99cce95)

Amazon S3 Encryption Client 3.3.3 Release -- 2025-05-05

3.3.3 (2025-05-05)

Fixes

• fix CipherSubscriber to only call onNext once per request (#456) (646b735)

Amazon S3 Encryption Client 3.3.2 Release -- 2025-04-16

Changelog

3.3.2 (2025-04-16)

Fixes

• add builders to S3EncryptionClientException class (#450) (647c809)
• allow CipherSubscriber to determine if the part is last part (#453) (12355a1)

Amazon S3 Encryption Client 3.3.1 Release -- 2025-01-24

Changelog

3.3.1 (2025-01-24)

Fixes

• KMS Dependency is required (44e9886)
• treat null matdesc as empty (#448) (bcd711e)
• unbounded streams are not supported (#422) (034bb89)

Amazon S3 Encryption Client 3.3.0 Release -- 2024-10-30

Changelog

3.3.0 (2024-10-30)

Features

• allow configuration of instruction file client, add new top-level client options, disable wrapped multipart upload (#387) (37e772f)

Maintenance

• add ListBucket permission to release role (#391) (fa1e6cc)
• deps-dev: bump commons-io:commons-io from 2.11.0 to 2.14.0 (#381) (5e03842)