The S3EC attempts to be as "transparent" as possible when applying client-side encryption. For example, PutObject/GetObject "just works". A deeper example is ranged gets - in Java, a ranged get request will apply to the plaintext range, the customer does not need to manually adjust the range to account for encrypted blocks.
However, there is one aspect that is seemingly not possible, which is contentLength of the GetObject stream. It includes the auth tag. Customers need to read the entire thing, which is their original message length + auth tag (or padding in the case of CBC).
This needs to be well-documented.
The S3EC attempts to be as "transparent" as possible when applying client-side encryption. For example, PutObject/GetObject "just works". A deeper example is ranged gets - in Java, a ranged get request will apply to the plaintext range, the customer does not need to manually adjust the range to account for encrypted blocks.
However, there is one aspect that is seemingly not possible, which is contentLength of the GetObject stream. It includes the auth tag. Customers need to read the entire thing, which is their original message length + auth tag (or padding in the case of CBC).
This needs to be well-documented.