Encrypting and Decrypting a file through CLI using AWS KMS


Key Management Service

AWS Key Management Service is an easy way of creating  and managing Keys for encryption and decryption. AWS KMS can be seamlessly  integrated  with Amazon EBS, Amazon S3, Redshift, RDS, SSM and many other services. KMS provides two types of Customer Master Keys - Symmetric and Asymmetric. KMS can be integrated  with CloudTrail for auditing Key usage. With KMS you can encrypt up to 4KB of data per call.  For data more than 4KB, use envelope encryption.


Symmetric  Keys are AES-256 bit type of encryption keys, where a single encryption key is used for Encryption  and Decryption. Most of the AWS Services that are integrated  with KMS use Symmetric Keys. Symmetric  Keys are used for envelope encryption.


Asymmetric  Keys are of type RSA and ECC Key pairs, where two keys are used for encryption and decryption. Public key is used for Encryption  and Private key is used for Decryption. The public  key is downloadable, but Private key cannot  be accessed  unencrypted.

Creating Symmetric Key


  • For creating KMS keys, open the AWS Key Management Service console and click on 'create key'.  Select the key type as 'Symmetric' and choose KMS as the key origin. Using KMS as origin will generate a symmetric key for encryption and decryption. You could also provide  your own key if necessary using 'External ' as the origin. Click next to proceed  further.



  • Enter an alias for the key and click next. You can also enter description  and add tags if needed.



  • If you want the key to be administered by certain users, then choose that particular IAM users or roles as key administrators. Not choosing any of the users or roles, will grant key access to all the users. After choosing the key administrator, click next.


  • Select the IAM users and roles that can use the Customer Master Key. Use default key usage permissions for allowing all users and roles to use the key.


  • Review the key configuration, key policy and click finish to create a symmetric key. The below image shows the created key details like alias name, ID, key type and key usage.



 Encrypting and Decrypting a file through CLI using the KMS symmetric key.

Create a text file containing data to be encrypted. This file will be encrypted  and decrypted using the symmetric key through CLI.


'aws kms encrypt' command is used for encrypting the data in the file. Specify the Key ARN or Key ID or Key Alias, input file path and region in the CLI command. Executing this command gives the encrypted file in base64 format.  The base64 file is then decoded to get a binary encrypted file.


#Encrypting a file
aws kms encrypt --key-id alias/EncryptionKeyForFile --plaintext fileb://datafile.txt --output text --query CiphertextBlob --region us-east-1 > Encrypteddatafile.base64

# Decoding base64 file to binary file
cat Encrypteddatafile.base64 | base64 --decode > Encrypteddatafile


The below image shows the encrypted data.



The Encrypted binary file is decrypted using ' aws kms decrypt' command to a base64 format and then base64 file is decoded to get a text file.  For decrypting, specify the Encrypted file path  and region in the command.


#Decrypting a file
aws kms decrypt --ciphertext-blob fileb://Encrypteddatafile   --output text --query Plaintext  > Decrypteddatafile.base64

#Decoding base64 file to text file
cat Decrypteddatafile.base64 | base64 --decode  > Decrypteddatafile.txt


The below image shows the command execution and the decrypted file.


Encrypting and Decrypting a file through SDK CLI


Install the Encryption SDK using pip3/pip command in CLI.

pip3 install aws-encryption-sdk-cli



For Encryption, specify the Key ARN and the input file path in the command.

aws-encryption-cli      --encrypt \ 
                        --input datafile.txt \ 
                        --wrapping-keys key=arn:aws:kms:us-east-1:xxxxxxxx:key/xxxx-xxx-xxx-xxx-xxxx \ 
                        --metadata-output ~/metadata \ 
                        --output .


The below image shows the encrypted data of the file.



Specify the Encrypted file path as input and the Key ARN in the decryption command. The decrypted file will be created in the same folder.

aws-encryption-cli   --decrypt \      
                     --input datafile.txt.encrypted \
                     --wrapping-keys key=arn:aws:kms:us-east-1:xxxxxxxx:key/xxxx-xxx-xxx-xxx-xxx \
                     --metadata-output ~/metadata \
                     --output .


The below image shows the decrypted data of the file.



We have successfully Encrypted and Decrypted  a file through CLI and SDK CLI using the KMS Symmetric key. AWS KMS is a fully managed, Centralised  and secure service. KMS is a cost effective service, where you pay $1/month for storing a key.  With KMS, you can easily create, delete, rotate and import keys through the Console or SDK or CLI.