search

KMS API

hashtag
CLI

hashtag
Encryption

    aws kms encrypt --key-id [alias|arn] --plaintext [text-uri] --output [output-type] --query [queryOption] --region <aws-region>

    ## Example

    aws kms encrypt --key-id sample/key-id --plaintext fileb://samplefile.txt --output text --query CiphertextBlob --region ap-south-1

  • It provides base-64 encoded output of the encrypted content.

hashtag
Decryption

    aws kms decrypt --ciphtertext-blob [text-uri] --output [output-type] --query [queryOption] --region <aws-region>

    ## Example
    aws kms decrypt --ciphtertext-blob fileb://sampe-file.txt --output text --query Plaintext --region ap-south-1

  • It knows which key to use to decrypt the value as encrypted blob already has that information.

  • It provides base-64 encoded output of the decrypted content.

  • For this to work appropriate IAM permission is required.

hashtag
Working

KMS Working

hashtag
Envelope Encryption Technique

  • This technique uses KMS to generate Keys and perform encryption and decryption at client side.

  • Typically used to encrypt and decrypt data more than 4 KB as KMS API has limit of 4 KB.

  • This is supported out of box in SDK and CLI and supports languages like Java, python, C, Javascript etc.

  • The SDK also have Data Key Caching,

    • This allows to reuse the data keys instead of creating new ones for each encryption.

    • Reduces calls to KMS with a security trade-off.

    • This uses LocalCryptoMaterialsCache, for this we can specify max-age, max-bytes, max number of messages.

hashtag
Encryption

  • This technique is used when you want to encrypt the data above 4 KB.

  • For this use GenerateDataKey API : This API give a plain and encrypted Data Encryption Key (DEK). There is also another API called GenerateDataKeyWithoutPlaintext which will only return encrypted DEK.

  • On a side note, GenerateRandom API returns a random byte string.

  • This key can be used at client side to encrypt the file/data.

  • An envelope is created at client side which has both encrypted file and encrypted key, both of them will be present in the final file. Envelope Encryption

hashtag
Decryption

  • This technique is used when you want to decrypt the data above 4KB.

  • Use the Decrypt API along with encrypted DEK to decrypt it.

  • Once plain DEK is obtained, this can be used to decrypt the encrypted big file.

Envelope Decryption
PreviousEncryptionNextFeatures

Last updated