Every time you are dealing with sensitive data you should think about encrypting it! Therefore AWS provides a service called Key Management Service or KMS. KMS makes it easy to create and control encryption keys used to encrypt your data and view your existing keys in a single dashboard. Inside AWS exists a broad integration of KMS with services like S3, EBS or EFS.
AWS Managed Keys vs Customer Managed Keys
KMS distinguishes between two types of keys. First AWS managed keys, these are keys created directly by an AWS service like Lambda or S3. They can’t be deleted or assigned into custom roles. The naming is also standardized as aws/servicename. For security reasons AWS managed keys are also including rotations once every 3 years automatically.
Wherever customer managed keys are more custom. You can give them a naming and alias by yourself. They are created directly by yourself and you can delete, enable or disable them. It is also possible to assign them to custom roles. Customer managed keys including rotation once a year automatically or manually. KMS supports three different options for creating a customer managed key, where you can create it with KMS directly, import a self created key or to create one with CloudHSM, which is an even more secure option.
Envelope encryption is a process for encrypting data and applies to files > 4 KB. In this process an additional key gets introduced, a so called data key.
Instead of using the CMK key for encrypting your data, you will now use the CMK to encrypt your data key and afterwards you use the data key to encrypt your data. KMS will not store the data key in AWS, the key will be stored along with the encrypted data locally.
In case you want to decrypt your data again, you will need to request the CMK key from KMS. The key will then be used to decrypt your data key first and the data key is used to finally decrypt your data.
You might asking why you are using another key instead of directly encrypting and decrypting data with a CMK key? The benefit of an envelope encryption is that you do not have to send data to KMS over the network. You just send the data key to KMS and do the encryption process locally. This reduces the amount of data which will be send to KMS, which can be very helpful if you are dealing with gigabytes or terabytes of data.
KMS Encryption in Practice
Now you are putting all the information above into action by encrypting and decrypting some dummy data stored in an EC2 instance. First of all you need two users, one as a KMS administrator and another as a KMS user. For further information about IAM, have a look at this article:
Create an IAM Group
Start by navigating to the IAM service and select User groups on the navigation bar. Then click on “Create group” on the top right corner. Name the group “kms_group” and choose “AdministratorAccess” as permissions on the next screen for simplicity.
Create two IAM Users
Still in IAM, go to users and click on “Add users”. Name the user for example “kms_admin” and select “Programmatic access” as well as “AWS Management Console access”.
On the next screen, assign the user to the before created group “kms_group”.
Finally download the user credentials and finish the user creation.
Redo the process with another user named “kms_user”!
Create a CMK Key
Continue by navigating to the Key Management Service and select “Customer-managed keys” on the navigation panel on the left. Then create a new CMK key by hitting “Create key”.
You can leave the default configuration and click on “Next”.
Now name the CMK on the Alias text field with “kms_tutorial” and click again on “Next”.
On the next screen you have to select your KMS administrator, select user “kms_admin” which you have created before.
And select the second created user “kms_user” as a KMS user.
You should be navigated back to the dashboard where you see your newly created CMK.
Create an EC2 Instance
As you are encrypting data stored in an EC2 instance, go on and create a new one. Follow along the instructions from this article if you need some guidance.
If done so, SSH into your newly created server!
Encrypting & Decrypting Data with CMK
Finally you can start to use KMS. First, you are gonna to need some data, so create a file called “kms_text.txt” with the following command:
And insert some dummy data like “Hello World!”. Then close the file with CMD + x and hit y to save it.
Assign the user credentials of the before created user “kms_user” on AWS cli and select your target region.
And finally encrypt the file “kms_text.txt” with a base64 encryption with the following command:
aws kms encrypt --key-id <your-key-id> --plaintext fileb://kms_text.txt --output text --query CiphertextBlob | base64 --decode > encryptedsecret.txt
Make sure to replace <your-key-id> with the CMK id which you can find in the AWS Console at Key Management Service.
If the command was successful, you should see a new file called encryptedsecret.txt. If you look at it’s content, you should see some weird looking symbols which means the file got encrypted.
For decrypting the file again just use the following command:
aws kms decrypt --ciphertext-blob fileb://encryptedsecret.txt --output text --query Plaintext | base64 --decode > decryptedsecret.txt
This will create another file which is called decryptedsecret.txt and it contains the content of the origin file. Go ahead and have a look!
Awesome! You are now able to create a CMK key and use it to encrypt or decrypt data. If this article was helpful, please leave a like and if you want to stay updated for more upcoming articles consider to follow my blog. Cheers!