@@ -29,6 +29,7 @@ class Config(object):

     access_token = ""

     host_base = "s3.amazonaws.com"

     host_bucket = "%(bucket)s.s3.amazonaws.com"

+    kms_key = ""    #can't set this and Server Side Encryption at the same time

     simpledb_host = "sdb.amazonaws.com"

     cloudfront_host = "cloudfront.amazonaws.com"

     verbosity = logging.WARNING

@@ -155,6 +156,12 @@ class Config(object):

                     self.secret_key = env_secret_key

                 else:

                     self.role_config()

+                    

+            #TODO check KMS key is valid

+            if self.kms_key and self.server_side_encryption == True:

+                warning('Cannot have server_side_encryption (S3 SSE) and KMS_key set (S3 KMS). KMS encryption will be used. Please set server_side_encryption to False')

+            if self.kms_key and self.signature_v2 == True:

+                raise Exception('KMS encryption requires signature v4. Please set signature_v2 to False')

     def role_config(self):

         if sys.version_info[0] * 10 + sys.version_info[1] < 26:

@@ -573,6 +573,11 @@ class S3(object):

         if self.config.server_side_encryption:

             headers["x-amz-server-side-encryption"] = "AES256"

+        ####inject in kms headers

+        if self.config.kms_key:

+            headers['x-amz-server-side-encryption'] = 'aws:kms'

+            headers['x-amz-server-side-encryption-aws-kms-key-id'] = self.config.kms_key

+            

         ## MIME-type handling

         headers["content-type"] = self.content_type(filename=filename)

@@ -725,6 +730,11 @@ class S3(object):

         if self.config.server_side_encryption:

             headers["x-amz-server-side-encryption"] = "AES256"

+        ####inject in kms headers

+        if self.config.kms_key:

+            headers['x-amz-server-side-encryption'] = 'aws:kms'

+            headers['x-amz-server-side-encryption-aws-kms-key-id'] = self.config.kms_key

+            

         if extra_headers:

             headers.update(extra_headers)

@@ -759,7 +769,12 @@ class S3(object):

         ## Set server side encryption

         if self.config.server_side_encryption:

             headers["x-amz-server-side-encryption"] = "AES256"

-

+        

+        ####inject in kms headers

+        if self.config.kms_key:

+            headers['x-amz-server-side-encryption'] = 'aws:kms'

+            headers['x-amz-server-side-encryption-aws-kms-key-id'] = self.config.kms_key

+            

         if extra_headers:

             headers.update(extra_headers)

@@ -1265,7 +1280,8 @@ class S3(object):

             raise S3Error(response)

         debug("MD5 sums: computed=%s, received=%s" % (md5_computed, response["headers"]["etag"]))

-        if response["headers"]["etag"].strip('"\'') != md5_hash.hexdigest():

+        ## when using KMS encryption, MD5 etag value will not match

+        if (response["headers"]["etag"].strip('"\'') != md5_hash.hexdigest()) and response["headers"]["x-amz-server-side-encryption"] != 'aws:kms':

             warning("MD5 Sums don't match!")

             if retries:

                 warning("Retrying upload of %s" % (filename))

@@ -1464,8 +1480,9 @@ class S3(object):

             warning("Reported size (%s) does not match received size (%s)" % (

                 start_position + long(response["headers"]["content-length"]), response["size"]))

         debug("ReceiveFile: Computed MD5 = %s" % response.get("md5"))

+        debug("sse headers : %s" % response["headers"]["x-amz-server-side-encryption"])

         # avoid ETags from multipart uploads that aren't the real md5

-        if '-' not in md5_from_s3 and not response["md5match"]:

+        if ('-' not in md5_from_s3 and not response["md5match"]) and (response["headers"]["x-amz-server-side-encryption"] != 'aws:kms'):

             warning("MD5 signatures do not match: computed=%s, received=%s" % (

                 response.get("md5"), md5_from_s3))

         return response