KMS API

CLI

    aws kms encrypt --key-id [alias|arn] --plaintext [text-uri] --output [output-type] --query [queryOption] --region <aws-region>

    aws kms decrypt --ciphtertext-blob [text-uri] --output [output-type] --query [queryOption] --region <aws-region>

It knows which key to use to decrypt the value as encrypted blob already has that information.
It provides base-64 encoded output of the decrypted content.

This technique uses KMS to generate Keys and perform encryption and decryption at client side.
Typically used to encrypt and decrypt data more than 4 KB as KMS API has limit of 4 KB.
This is supported out of box in SDK and CLI and supports languages like Java, python, C, Javascript etc.
The SDK also have Data Key Caching,
- This allows to reuse the data keys instead of creating new ones for each encryption.
- Reduces calls to KMS with a security trade-off.
- This uses LocalCryptoMaterialsCache, for this we can specify max-age, max-bytes, max number of messages.

This technique is used when you want to encrypt the data above 4 KB.
For this use GenerateDataKey API : This API give a plain and encrypted Data Encryption Key (DEK). There is also another API called GenerateDataKeyWithoutPlaintext which will only return encrypted DEK.
On a side note, GenerateRandom API returns a random byte string.
This key can be used at client side to encrypt the file/data.
An envelope is created at client side which has both encrypted file and encrypted key, both of them will be present in the final file.

This technique is used when you want to decrypt the data above 4KB.
Use the Decrypt API along with encrypted DEK to decrypt it.
Once plain DEK is obtained, this can be used to decrypt the encrypted big file.

Last updated 5 months ago