Skip to content

Amazon S3 Encryption Client 4.0.0 Release -- 2025-12-17

Latest
Latest

Choose a tag to compare

View all tags
@aws-crypto-tools-ci-bot aws-crypto-tools-ci-bot released this 17 Dec 03:13
v4.0.0
7e3c89a

Changelog

4.0.0 (2025-12-17)

⚠ BREAKING CHANGES

  • The S3 Encryption Client now requires key committing algorithm suites by default.
    See migration guide from 3.x to 4.x: link

  • builder() method has been removed; use builderV4() instead

  • builderV4() now defaults to commitmentPolicy (REQUIRE_ENCRYPT_REQUIRE_DECRYPT) and encryptionAlgorithm (ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY)

  • Updated expectations for custom implementations of the CryptographicMaterialsManager interface.

    • Custom implementations of the interface's getEncryptionMaterials method MUST set the AlgorithmSuite field on the returned EncryptionMaterials.
      • The provided DefaultCryptoMaterialsManager's getEncryptionMaterials method sets this field from the AlgorithmSuite provided in the EncryptionMaterialsRequest.
      • If the custom implementation wraps the provided DefaultCryptoMaterialsManager.getEncryptionMaterials method, it's likely that no code updates are required. The provided logic has been updated with this change.
    • Custom implementations of the interface's decryptMaterials method MUST set the KeyCommitment field on the returned DecryptionMaterials.
      • The provided DefaultCryptoMaterialsManager's decryptMaterials method sets this field from the KeyCommitment provided in the DecryptMaterialsRequest.
      • If the custom implementation wraps the provided DefaultCryptoMaterialsManager.decryptMaterials method, it's likely that no code updates are required. The provided logic has been updated with this change.

  • Updated expectations for custom implementations of the Keyring interface.

    • Custom implementations of the interface's onDecrypt method MUST preserve the KeyCommitment field on the returned DecryptionMaterials.
      • The provided S3Keyring's onDecrypt method (base class for all keyrings including KmsKeyring) preserves this field through the builder pattern when returning updated materials.
      • If the custom implementation wraps the provided S3Keyring.onDecrypt method or uses the builder pattern to return materials, it's likely that no code updates are required. The provided logic has been updated with this change.

Features

Maintenance

Assets 5
Loading