This article explains how to use the AWS Encryption SDK for simplified envelope encryption and decryption of large files.
In this article, we will explore how to simplify envelope encryption using the AWS Encryption SDK. Previously, manually performing envelope encryption was a tedious process that involved generating and decoding data keys, encrypting files, and securely deleting plaintext keys to prevent accidental exposure. The AWS Encryption SDK streamlines these steps, making it much easier to encrypt and decrypt large files.Before you begin, ensure that Python is installed on your system. Verify your Python installation with the following command:
Copy
Ask AI
python -VPS C:\> dir HKLM:\Software\Python\PythonCore/<version>/InstallPath# -or-PS C:\> dir HKCU:\Software\Python\PythonCore/<version>/InstallPath
Once Python is set up, install the AWS Encryption SDK CLI using pip:
To encrypt a file, first export the ARN of your KMS key as an environment variable (e.g., keyArn). This step saves you from having to repeatedly enter the long ARN value in each command. In the following example, we assume that your demo key’s ARN is stored in the $keyArn variable and you are encrypting a file named db-creds.Copy and modify the command below:
**—wrapping-keys key=keyArn∗∗:UsesyourKMSkey,identifiedbytheARNstoredin‘keyArn`, for key wrapping.
—metadata-output metadata: Designates the location to store the encryption metadata.
—encryption-context purpose=test: Applies an encryption context for validation during decryption.
—commitment-policy require-encrypt-require-decrypt: Enforces strict commitment policies for both encryption and decryption.
—output output: Specifies the folder for the encrypted data.
After executing this command, you should see two primary outputs: a metadata file in JSON format and an encrypted file containing binary data. For example, you can view the metadata file using the following command:
Copy
Ask AI
cat metadata | jq
Below is an example of what the metadata JSON might look like:
The metadata provides crucial details like the encryption algorithm, the encrypted data key, and the encryption context which are useful for auditing and troubleshooting.
Decrypting your data is a straightforward process. Ensure that you specify the same encryption context and KMS key ARN that were used during encryption. Use the following command to decrypt the file:
Here’s an explanation of the extra decryption parameters:
—input output: Points to the folder containing the encrypted data.
—metadata-output metadata-decrypted: Specifies the location for the decryption metadata.
—max-encrypted-data-keys 1: Ensures the message contains only one encrypted data key, reducing the risk of processing malformed messages.
—buffer: Ensures decryption is complete before outputting the decrypted data, which is important for validating digital signatures.
—output decrypted-file: Defines the name of the file where the decrypted data will be stored.
Upon running this command, you’ll receive metadata output similar to the encryption process, along with a decrypted file containing your original data (e.g., credentials from the db-creds file).
The AWS Encryption SDK CLI significantly streamlines the process of securing sensitive data through envelope encryption:
It automates data key management so you don’t have to manually generate, decode, or securely dispose of keys.
A single command handles both encryption and decryption, simplifying your workflow.
Detailed metadata files allow you to verify encryption parameters and support auditing processes.
By following the commands and best practices outlined in this guide, you can efficiently secure and access sensitive data using envelope encryption with the AWS Encryption SDK.For more information and additional resources, consider visiting:
