[AWS DA GURU] KMS and Encryption on AWS

What is KMS

• Managed service that makes it easy for you to create and control the encryption keys used to encrypt your data
• Seamlessly integrated with many AWS services to make encrypting data in those services as easy as checking a box
• With KMS, it is simple to encrypt your data with encryption keys that you manage.

 

When do we use KMS?

Whenver you are dealing with sensitive information.

Sensitive data that you wnat to keep secrect.

 

What is a CMK?

CMK stands for "Customer Master Key"

• Encrypt / decrypt data up to 4 KB;
• Use for generate/encrypt/decrypt the data key
• Data Key is used to encrypt / decrypt your data

Known as Envelope Encryption.

 

 

---

 

You need to assign KMS to a user.

Encrypt a text file `secret.txt` output file called `encryptedsecret.txt`:

aws kms encrypt --key-id <YOUR_KMS_KEY_ID> --plaintext fileb://secret.txt --output text --query CiphertextBlob | base64 --decode > encryptedsecret.txt

 

Decrypt the encrypted file:

aws kms decrypt --ciphertext-blob fileb://encryptedsecret.txt --output text --query Plaintext | base64 --decode > decryptedsecret.txt

 

Re-encrypt an encrypt file:

aws kms re-encrypt --destination-key-id <YOUR_KMS_KEY_ID> --ciphertext-blob fileb://encryptedsecret.txt | base64 > newencryption.txt 

 

enable key rotation on yearly base

aws kms enable-key-rotation --key-id <YOUR_KMS_KEY_ID>

 

check key rotation enabled or not:

aws kms get-key-rotation-status --key-id <YOUR_KMS_KEY_ID>

 

If you need to encrypt larger than 4KB file, you need to use data key:

aws kms generate-data-key --key-id YOURKEYIDHERE --key-spec AES_256

For example, your lambda need to encrypt large data.

 

Document abou KMS API

 

 

Envelope Encryption

KMS geneate CMK which use API to generate a DataKey;

The DataKey is also called Envelope Key

Use this Envelope key to encrypts large data (> 4KB).

 

Why use Envelope Encryption

Network

When you can encrypt data directly KMS it musts be transferred over the network.

Performance

With envelope encryption, only the data key goes over the network, not your data.

Benefits

The data key is used locally in your application or AWS service, avoding the need to transfer large amounts of data to KMS.

 

KMS create/control CMK (Customer master key)

You can view CMK, but CANNOT manage CMK

KMS use CMK to encrypt your data

Envelope encryption is used to protect your encryption key, used when data is large than 4kb.

When you encrypt your data, your data is protected, but you have to protect your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. Reference: Envelope encryption.