Sensitive Information cipher and decipher Using AWS Cloud KMS service
AWS Key Management Store (KMS) is a managed service that enables you to easily encrypt your data. It provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services with Key Rotation. With this service, you can centrally manage and securely store your keys. These are known as customer master keys (CMKs). You can generate CMKs in KMS, in an AWS CloudHSM cluster, or import them from your own key management infrastructure. These master keys are protected by hardware security modules (HSMs) and are only ever used within those modules. You can submit data directly to KMS to be encrypted or decrypted using these master keys.KMS is tightly integrated into many AWS services like Lambda, S3, EBS, EFS, DynamoDB, SQS, etc.
AWS KMS is integrated with AWS services and client-side toolkits that use a method known as envelope encryption to encrypt your data. Under this method, KMS generates Data Encryption keys(DEK) that are used to encrypt data and are themselves encrypted using your master keys in KMS. With Envelop encryption:
- A data key is generated and used by the AWS service to encrypt each piece of data or resource.
- The data key is encrypted under a master key defined in AWS KMS.
- The encrypted data key is then stored by the AWS service Or Self-managed service for future decryption.
- For data decryption by the AWS service, the encrypted data key is passed to AWS KMS and decrypted under the master key that was originally encrypted so that data can be decrypted.
When the data is encrypted directly with KMS it must be transferred over the network. KMS doesn't support sending data more than 4 KB to be encrypted. Envelope encryption can offer significant performance benefits. Envelope encryption reduces the network load for the application or AWS cloud service as Only the request and fulfillment of the data key through KMS go over the network.
KMS Service Concepts
- Customer Master Keys (CMKs):
a. AWS KMS customer master keys (CMKs) are 256-bit Advanced Encryption Standard (AES) symmetric keys that are not exportable.
b. CMKs are created in AWS KMS and never leave AWS KMS unencrypted.
c. CMK to encrypt and decrypt up to 4 KB (4096 bytes) of data.
- Data Encryption Keys (DEKs):
a. Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys.
b. AWS KMS does not store, manage, or track your data encryption keys.
To see the working of KMS Encryption and Decryption operations, First, we need to create an Encryption key. This can be done from both AWS console or AWS CLI. To keep the tutorial simple we will go by AWS Management console.
From the Console head to the AWS KMS Service page.
From the left Navigation bar, head to the Customer Managed Keys section. Click on Create Key to add a CMK to your Account. Now you have to define specifications for your key. Follow the setting below for this tutorial. You can customize different settings accordingly to your requirements.
Assign administrator to your key. This can be an IAM role or user. This power to enable/disable Key usage. you can also privilege this user to delete this key choose according to your requirement. Right now we are going with an IAM user.
Assign the user we want to allow to use this Key. Other AWS Account users can also be specified.
Finally, Finish up with the setup and now this key will be available for usage.
Now coming to the main part, Let’s use the above key we create to do actual encryption and decryption for our content. The procedure for encryption/decryption operation will be dependent on the size of the content we have Like we discussed earlier. Content that is less than 4KB can be encrypted over the network, but for content more than 4KB in size we will generate Data Encryption Key (DEK) For required operations.
Let’s say we have some text content. We can perform operations by AWS SDK in any of the preferred programming languages. But to get familiar with operations let's use AWS CLI on a terminal window. You can perform the same operations on AWS SDK as well.
- Assuming that you have AWS CLI set up with correct credentials. Let's list out the available KMS Keys by
$ aws kms list-aliases
- Let’s create a secret document.
$ echo "This is my secret stuff" > secret.txt
$ cat secret.txt
This is my secret stuff
- Now since this a small document (less than 4Kb) we can encrypt this directly by CMK. Below is the command which helps you do so. And we get the encrypted text.
$ aws kms encrypt --plaintext file://secret.txt --key-arn arn:aws:kms:ap-south-1:*************:key/1234abcd-12ab-34cd-56ef-1234567890ab
- Now, this ciphertext is in base64 encoding. To be able to send this for decryption we need to send this as Blob, we have to save this in base64 decoded form. This is how it’s done.
$ aws kms encrypt --plaintext file://secret.txt --key-id arn:aws:kms:ap-south-1:*************:key/1234abcd-12ab-34cd-56ef-1234567890ab
--output text --query CiphertextBlob |
base64 --decode > secret.encryptedblob
- Now content in secret.encryptedblob is decryptable, and to do so we send this encrypted blob for decryption.
$ aws kms decrypt --ciphertext-blob fileb://secret.encryptedblob --query Plaintext --output text | base64 --decode This is my secret stuff
We get our original text back with decryption operation. For the case when content is more than 4KB we perform the same operations like above but with the difference of calling encrypted content as Data Encryption Key(DEK). With this unencrypted DEK, we can encrypt any size of data with our in-house Encryption/Decryption tool. We destroy the unencrypted DEK immediately after the encryption operation and store the Encrypted version of DEK along with our data as rest. For Decryption for our, we just need to unencrypt the encrypted DEK using AWS KMS to get back our original unencrypted DEK.