Key Management Service
AWS Key Management Service is an easy way of creating and managing Keys for encryption and decryption. AWS KMS can be seamlessly integrated with Amazon EBS, Amazon S3, Redshift, RDS, SSM and many other services. KMS provides two types of Customer Master Keys - Symmetric and Asymmetric. KMS can be integrated with CloudTrail for auditing Key usage. With KMS you can encrypt up to 4KB of data per call. For data more than 4KB, use envelope encryption.
Symmetric Keys are AES-256 bit type of encryption keys, where a single encryption key is used for Encryption and Decryption. Most of the AWS Services that are integrated with KMS use Symmetric Keys. Symmetric Keys are used for envelope encryption.
Asymmetric Keys are of type RSA and ECC Key pairs, where two keys are used for encryption and decryption. Public key is used for Encryption and Private key is used for Decryption. The public key is downloadable, but Private key cannot be accessed unencrypted.
Creating Symmetric Key
- For creating KMS keys, open the AWS Key Management Service console and click on 'create key'. Select the key type as 'Symmetric' and choose KMS as the key origin. Using KMS as origin will generate a symmetric key for encryption and decryption. You could also provide your own key if necessary using 'External ' as the origin. Click next to proceed further.
- Enter an alias for the key and click next. You can also enter description and add tags if needed.
- If you want the key to be administered by certain users, then choose that particular IAM users or roles as key administrators. Not choosing any of the users or roles, will grant key access to all the users. After choosing the key administrator, click next.
- Select the IAM users and roles that can use the Customer Master Key. Use default key usage permissions for allowing all users and roles to use the key.
- Review the key configuration, key policy and click finish to create a symmetric key. The below image shows the created key details like alias name, ID, key type and key usage.
Encrypting and Decrypting a file through CLI using the KMS symmetric key.
Create a text file containing data to be encrypted. This file will be encrypted and decrypted using the symmetric key through CLI.
'aws kms encrypt' command is used for encrypting the data in the file. Specify the Key ARN or Key ID or Key Alias, input file path and region in the CLI command. Executing this command gives the encrypted file in base64 format. The base64 file is then decoded to get a binary encrypted file.
#Encrypting a file aws kms encrypt --key-id alias/EncryptionKeyForFile --plaintext fileb://datafile.txt --output text --query CiphertextBlob --region us-east-1 > Encrypteddatafile.base64 # Decoding base64 file to binary file cat Encrypteddatafile.base64 | base64 --decode > Encrypteddatafile
The below image shows the encrypted data.
The Encrypted binary file is decrypted using ' aws kms decrypt' command to a base64 format and then base64 file is decoded to get a text file. For decrypting, specify the Encrypted file path and region in the command.
#Decrypting a file aws kms decrypt --ciphertext-blob fileb://Encrypteddatafile --output text --query Plaintext > Decrypteddatafile.base64 #Decoding base64 file to text file cat Decrypteddatafile.base64 | base64 --decode > Decrypteddatafile.txt
The below image shows the command execution and the decrypted file.
Encrypting and Decrypting a file through SDK CLI
Install the Encryption SDK using pip3/pip command in CLI.
pip3 install aws-encryption-sdk-cli
For Encryption, specify the Key ARN and the input file path in the command.
aws-encryption-cli --encrypt \ --input datafile.txt \ --wrapping-keys key=arn:aws:kms:us-east-1:xxxxxxxx:key/xxxx-xxx-xxx-xxx-xxxx \ --metadata-output ~/metadata \ --output .
The below image shows the encrypted data of the file.
Specify the Encrypted file path as input and the Key ARN in the decryption command. The decrypted file will be created in the same folder.
aws-encryption-cli --decrypt \ --input datafile.txt.encrypted \ --wrapping-keys key=arn:aws:kms:us-east-1:xxxxxxxx:key/xxxx-xxx-xxx-xxx-xxx \ --metadata-output ~/metadata \ --output .
The below image shows the decrypted data of the file.
We have successfully Encrypted and Decrypted a file through CLI and SDK CLI using the KMS Symmetric key. AWS KMS is a fully managed, Centralised and secure service. KMS is a cost effective service, where you pay $1/month for storing a key. With KMS, you can easily create, delete, rotate and import keys through the Console or SDK or CLI.