aws logo

Encrypting your Data with AWS Key Management Service (KMS)

Every time you are dealing with sensitive data you should think about encrypting it! Therefore AWS provides a service called Key Management Service or KMS. KMS makes it easy to create and control encryption keys used to encrypt your data and view your existing keys in a single dashboard. Inside AWS exists a broad integration of KMS with services like S3, EBS or EFS.

AWS Managed Keys vs Customer Managed Keys

KMS distinguishes between two types of keys. First AWS managed keys, these are keys created directly by an AWS service like Lambda or S3. They can’t be deleted or assigned into custom roles. The naming is also standardized as aws/servicename. For security reasons AWS managed keys are also including rotations once every 3 years automatically.

Wherever customer managed keys are more custom. You can give them a naming and alias by yourself. They are created directly by yourself and you can delete, enable or disable them. It is also possible to assign them to custom roles. Customer managed keys including rotation once a year automatically or manually. KMS supports three different options for creating a customer managed key, where you can create it with KMS directly, import a self created key or to create one with CloudHSM, which is an even more secure option.

Envelope Encryption

Envelope encryption is a process for encrypting data and applies to files > 4 KB. In this process an additional key gets introduced, a so called data key.

Instead of using the CMK key for encrypting your data, you will now use the CMK to encrypt your data key and afterwards you use the data key to encrypt your data. KMS will not store the data key in AWS, the key will be stored along with the encrypted data locally.

Envelope encryption process - image by author
Envelope encryption process – image by author

In case you want to decrypt your data again, you will need to request the CMK key from KMS. The key will then be used to decrypt your data key first and the data key is used to finally decrypt your data.

You might asking why you are using another key instead of directly encrypting and decrypting data with a CMK key? The benefit of an envelope encryption is that you do not have to send data to KMS over the network. You just send the data key to KMS and do the encryption process locally. This reduces the amount of data which will be send to KMS, which can be very helpful if you are dealing with gigabytes or terabytes of data.

KMS Encryption in Practice

Now you are putting all the information above into action by encrypting and decrypting some dummy data stored in an EC2 instance. First of all you need two users, one as a KMS administrator and another as a KMS user. For further information about IAM, have a look at this article:

https://medium.com/@erwinschleier/identity-and-access-management-iam-78da48f8bb17

Create an IAM Group

Start by navigating to the IAM service and select User groups on the navigation bar. Then click on “Create group” on the top right corner. Name the group “kms_group” and choose “AdministratorAccess” as permissions on the next screen for simplicity.

Create two IAM Users

Still in IAM, go to users and click on “Add users”. Name the user for example “kms_admin” and select “Programmatic access” as well as “AWS Management Console access”.

User creation details - image by author
User creation details – image by author

On the next screen, assign the user to the before created group “kms_group”.

User creation permissions - image by author
User creation permissions – image by author

Finally download the user credentials and finish the user creation.

User creation credentials - image by author
User creation credentials – image by author

Redo the process with another user named “kms_user”!

Create a CMK Key

Continue by navigating to the Key Management Service and select “Customer-managed keys” on the navigation panel on the left. Then create a new CMK key by hitting “Create key”.

CMK dashboard - image by author
CMK dashboard – image by author

You can leave the default configuration and click on “Next”.

CMK creation - image by author
CMK creation – image by author

Now name the CMK on the Alias text field with “kms_tutorial” and click again on “Next”.

CMK alias - image by author
CMK alias – image by author

On the next screen you have to select your KMS administrator, select user “kms_admin” which you have created before.

CMK admin - image by author
CMK admin – image by author

And select the second created user “kms_user” as a KMS user.

CMK user - image by author
CMK user – image by author

You should be navigated back to the dashboard where you see your newly created CMK.

CMK creation successful - image by author
CMK creation successful – image by author

Create an EC2 Instance

As you are encrypting data stored in an EC2 instance, go on and create a new one. Follow along the instructions from this article if you need some guidance.

https://awstip.com/aws-ec2-instance-b17adefba89c

If done so, SSH into your newly created server!

EC2 ssh connection - image by author
EC2 ssh connection – image by author

Encrypting & Decrypting Data with CMK

Finally you can start to use KMS. First, you are gonna to need some data, so create a file called “kms_text.txt” with the following command:

nano kms_text.txt

And insert some dummy data like “Hello World!”. Then close the file with CMD + x and hit y to save it.

Assign the user credentials of the before created user “kms_user” on AWS cli and select your target region.

aws config

And finally encrypt the file “kms_text.txt” with a base64 encryption with the following command:

aws kms encrypt --key-id <your-key-id> --plaintext fileb://kms_text.txt --output text --query CiphertextBlob | base64 --decode > encryptedsecret.txt

Make sure to replace <your-key-id> with the CMK id which you can find in the AWS Console at Key Management Service.

CMK id - image by author
CMK id – image by author

If the command was successful, you should see a new file called encryptedsecret.txt. If you look at it’s content, you should see some weird looking symbols which means the file got encrypted.

KMS encryption commands - image by author
KMS encryption commands – image by author

For decrypting the file again just use the following command:

aws kms decrypt --ciphertext-blob fileb://encryptedsecret.txt --output text --query Plaintext | base64 --decode > decryptedsecret.txt

This will create another file which is called decryptedsecret.txt and it contains the content of the origin file. Go ahead and have a look!

CMK decryption commands - image by author
CMK decryption commands – image by author

Awesome! You are now able to create a CMK key and use it to encrypt or decrypt data. If this article was helpful, please leave a like and if you want to stay updated for more upcoming articles consider to follow my blog. Cheers!

Leave a Comment

Your email address will not be published.