Encrypt and Decrypt Data with KMS and Data Keys [Cheat Sheet]
Whether you’re studying for the AWS Certified Security Specialty exam, or whether you need a way of encrypting and decrypting data to keep it safe, AWS KMS is a critical service to understand. It’s also not the easiest to wrap your head around if encryption isn’t your strong suit.
In a prior cheat sheet, we explored how to get started with the Key Management Service, but in this one let’s learn how to encrypt and decrypt data using symmetric encryption and the KMS
What is Symmetric Encryption?
Symmetric encryption uses the same hashtag#cryptographic keys for both the hashtag#encryption of plaintext and the decryption of ciphertext.
KMS keys
By default, when you create a KMS key, you get a symmetric key that you can use to both encrypt and decrypt data. These KMS keys are great for handling small amounts of data (less than 4096 bytes in size), and they never leave the KMS.
Once created, you can issue a command like this to encrypt plaintext:
aws kms encrypt --key-id alias/lab-key --plaintext fileb://plaintext_favorite_dog.txt --output text --query CiphertextBlob | base64 --decode > encrypted_favorite_dog.txt
Code language: JavaScript (javascript)
…and like this to decrypt ciphertext:
aws kms decrypt --key-id alias/lab-key --ciphertext-blob fileb://encrypted_favorite_dog.txt --output text --query Plaintext | base64 --decode > decrypted_favorite_dog.txt
Code language: JavaScript (javascript)
KMS data keys
However, KMS keys can’t be used for larger data. In that case, you can create a random KMS data key that gets enveloped by a KMS key before it leaves KMS. You can then use the plaintext data key locally to encrypt plaintext data, and later on, you can use it to decrypt its ciphertext.
The default AWS CLI can’t work with data keys directly, so you can either use something like OpenSSL or the AWS Encryption SDK. Reference the cheat sheet for more info and examples!
Want to apply this hands-on?
I created this cheat sheet to celebrate the launch of our latest Cybr 🧪 Hands-On Lab: “Encrypt and Decrypt Data with KMS and Data Keys” where you can apply and practice everything in this cheat sheet in a real AWS environment.
Cybr Premium members can access the lab here.
More information about our Hands-On Labs.
Responses