Encrypt files in AWS S3 with a PGP key using a Dotnet Lambda function

Published in

BI3 Technologies

5 min readMay 13, 2022

This blog demonstrates how to encrypt a file in AWS S3 using the C# language in a AWS Lambda function. To do this, we need a PGP public key and private key to encrypt and decrypt a file respectively.

Here are the simple five steps that will help us get there.

1.Create an AWS function in Visual Studio.

AWS Toolkit will not be available in Visual Studio by default. We must install it by navigating to EXTENSIONS -> MANAGE EXTENSIONS

If you have any problem in downloading the AWS Toolkit. Try to install the Latest version of the Visual Studio

After installation, restart your application and reopen it,

Select AWS Lambda function (.NET Core) .
Enter a Project Name and Location to save your project before clicking ‘Next’.

Choose the Simple S3 function from the Blueprints and finally click ‘Finish’ to create a new project.

2. Configure Visual studio to AWS account

In the view, select AWS Explorer.

Create an AWS Credentials Profile so that we can use the AWS services that are available.

Give the profile a name, as well as the access and secret keys that you can get from your AWS account. Give the respective region and click ‘OK’. For more details visit https://docs.aws.amazon.com/powershell/latest/userguide/pstools-appendix-sign-up.html

The file is encrypted using the public key and decrypted with the private key.
The following links will provide you with a sample key which I have generated. You can also generate a demo key from the internet.

Public key : https://textdoc.co/ksVyajNlzWQOGi5S

Private key : https://textdoc.co/BLJovT06ZlFmcdxG

3. Code for Encrypting the file

The NuGet Package Manager will have the packages listed in the code. Download those packages before executing the code.
To Download go to PROJECT -> MANAGE NUGET PACKAGES.

After downloading necessary packages, Create a file with a name Function.cs and paste the following code. This code is to take a file from the S3 and store it in Temp Location and Encrypt it using the public key.

Code for Encrypt the file

Create a file with a name AmazonUploader.cs, This code is to load the encrypted file from the Temp Location back to the S3 Bucket.

Load File to AWS S3

4. Upload code in Lambda Function

By right clicking on the Project in the Solution Explorer, there is a option to publish to AWS Lambda.

To configure your code with an AWS Lambda function, fill the required details.
Function Name to which the code will be deployed under that function in AWS.

The handler name will be available in the “aws-lambda-tools-defaults.json”. The file will be available if you choose the blueprint as ‘Simple-S3-Function’.

After the code deployment is done, either we can test in the visual studio itself or we can move to the respective lambda function to trigger the function.

Here, before we run the lambda function, we need to create an event with the template s3-put. By default, it will provide a template. We should modify it with the details that we have. Below is the sample S3-Put event in JSON format.

{
 “Records”: [
 {
 “eventVersion”: “2.0”,
 “eventSource”: “aws:s3”,
 “awsRegion”: “us-east-1”,
 “eventTime”: “1970–01–01T00:00:00.000Z”,
 “eventName”: “ObjectCreated:Put”,
 “userIdentity”: {
 “principalId”: “EXAMPLE”
 },
 “requestParameters”: {
 “sourceIPAddress”: “127.0.0.1”
 },
 “responseElements”: {
 “x-amz-request-id”: “EXAMPLE123456789”,
 “x-amz-id-2”: “EXAMPLE123/5678abcdefghijklambdaisawesome/mnopqrstuvwxyzABCDEFGH”
 },
 “s3”: {
 “s3SchemaVersion”: “1.0”,
 “configurationId”: “testConfigRule”,
 “bucket”: {
 “name”: “PGP_Encrypt_Bucket”,
 “ownerIdentity”: {
 “principalId”: “EXAMPLE”
 },
 “arn”: “arn:aws:s3:::PGP_Encrypt_Bucket”
 },
 “object”: {
 “key”: “test_file.txt”,
 “size”: 1024,
 “eTag”: “0123456789abcdef0123456789abcdef”,
 “sequencer”: “0A1B2C3D4E5F678901”
 }
 }
 }
 ]
}

Since AWS Lambda functions do not support inline code editors for C# by default, if we have any changes, we must change the code in Visual Studio and re-upload it to test. Finally click Test run the code.

5. Add Trigger to the Lambda Function

Click +Add trigger to add a trigger to the Lambda Function.

Once it is clicked we need to configure it to the event type.
Optional: Prefix and Suffix is used to manage trigger for selected file. If we gave suffix as ‘.csv’, It only trigger if the CSV file falls on the particular bucket.

Finally, this will create an AWS event trigger. When a file falls into the appropriate bucket, it will take the filename and use the public key we have to encrypt the file and save the encrypted file as filename.pgp.

Similarly for decrypting the file, Use “DecryptStream”

Decrypt the file

I hope this article will help you to encrypt and Decrypt the file using PGP keys.

About Us

Bi3 has been recognized for being one of the fastest-growing companies in Australia. Our team has delivered substantial and complex projects for some of the largest organizations around the globe and we’re quickly building a brand that is well known for superior delivery.

Website : https://bi3technologies.com/

Follow us on,
LinkedIn : https://www.linkedin.com/company/bi3technologies
Instagram : https://www.instagram.com/bi3technologies/
Twitter : https://twitter.com/Bi3Technologies