KMS Envelope Encryption Demo

Generating a Data Key
Encrypting Data
Decrypting Data
Final Notes
Additional Resources

In this lesson, you’ll learn how to encrypt large files using AWS KMS envelope encryption. By leveraging envelope encryption, AWS KMS generates a data key from a primary KMS key that encrypts files of any size. Although we will use a sample file named “db-creds,” the same steps apply to larger files.

Generating a Data Key

A KMS key (for example, one named “demo”) can directly encrypt or decrypt data up to 4 KB. To handle larger files, we generate a data key through our KMS key. This data key is provided in two forms:

The plaintext key, used by OpenSSL for file encryption.
The encrypted key, stored securely for later decryption.

To generate a data key, run the following command:

aws kms generate-data-key --key-id alias/demo --key-spec AES_256

The command returns output similar to this:

{
  "CiphertextBlob": "AQIDAHhPIn5jWlOkyhcTrOUNemva4jMiIW9RNFBBMjDPJwngHbFmSd7rWYRpzC32pUfq/AAAAfjfERTNoj8WtmQvDnN+ahOOU/1CB9U8odPg+UoEfgjdRiwahNNYgki76w==",
  "Plaintext": "2gy7bq/apUh36hT39xYkEy+gHVA2yM2Y9RHM=",
  "KeyId": "arn:aws:us-east-1:841869029733:key/5e6696c5-de46-4d56-bb50-a9b71e187cad"
}

The returned plaintext key is base64 encoded. Save it to a file after decoding. Similarly, decode and store the encrypted key. For instance:

echo '2gy7bp/qPhuH36NTR9xYKY+VHG+0VaM2Y9n/RHM=' | base64 -d > plaintext.key

echo 'AQIdAHIpIn5jWLoKhyTrOUNemva4jMiIwi9NRFBMjMDPJwNgBHF5dr7wRhp3zC32pFuHlxZxUz80Qo/fERTNoj8wtmQvDnN+a+oOUb/1C9bU8odPG+uOefgXlDrwsGiahNNYgki76w==' | base64 -d > encrypted-key

This diagram from the AWS KMS console displays your customer-managed keys, including the “demo” key:

The image shows the AWS Key Management Service (KMS) console, displaying a list of customer-managed keys with details such as aliases, key IDs, status, key type, and usage.

Encrypting Data

With your plaintext data key ready, use it to encrypt the “db-creds” file with OpenSSL. Execute the following command:

openssl enc -e -aes256 -pass file:plaintext.key -in db-creds -pbkdf2 > encrypted-data

In this command:

OpenSSL employs the AES-256 cipher.
The encryption key is read from the provided plaintext key file.
The -pbkdf2 flag ensures a secure key derivation and prevents warnings.

For enhanced security, remove the plaintext key file after encryption:

rm plaintext.key

Removing the plaintext key from disk prevents it from being compromised, ensuring the security of your encrypted data.

Decrypting Data

To decrypt the encrypted data file later, follow these steps:

Decrypt the Encrypted Key Using AWS KMS Run the command below to decrypt the stored encrypted key:

aws kms decrypt --ciphertext-blob fileb://encrypted-key

The output will resemble:

{
  "KeyId": "arn:aws:kms:us-east-1:841860927337:key/5e6696c5-de46-4d56-bb50-a9b71e187cad",
  "Plaintext": "2gyy7bp/qPhuH36N3T9xKY+VHG+0BVaM2Y9n/RHM=",
  "EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}

Store the Decrypted Plaintext Key Decode the returned plaintext key and save it:

echo '2gyy7bp/qPhuH36N3T9xKY+VHG+0BVaM2Y9n/RHM=' | base64 -d > plaintext.key

Decrypt the Data Using OpenSSL Now decrypt the file with this command:
```
openssl enc -d -aes256 -pass file:plaintext.key -in encrypted-data -out decrypted-data -pbkdf2
```
The -d flag indicates decryption. After executing this command, the file “decrypted-data” will match the original “db-creds” file.

Final Notes

Envelope encryption requires you to store both the encrypted data and the corresponding encrypted data key. When decryption is necessary, AWS KMS can be used to extract the plaintext key from the encrypted key. Then, OpenSSL uses this plaintext key to restore your original data. This method ensures the data key is never stored in plaintext for an extended period, enhancing your overall security.

By following this workflow, you effectively safeguard your sensitive data while leveraging the robust encryption capabilities offered by AWS KMS and OpenSSL.

That concludes our walkthrough on AWS KMS envelope encryption. Happy encrypting!

Additional Resources

Watch Video

KMS Basics Demo

KMS Encryption SDK Demo

Introduction

Networking Fundamentals

Identity and Access Management (IAM)

Elastic Compute Cloud(EC2)

Storage

Load Balancing & AutoScaling

Databases

CDNs & CloudFront

Elastic Beanstalk

Containers on AWS

Application Integrations

Serverless

API Gateway

Serverless Application Model (SAM)

Security

AWS Monitoring

Data & Analytics

AWS CI/CD & Developer Tools

Miscellaneous Services

Conclusion

AWS Fundamentals

KMS Envelope Encryption Demo

Generating a Data Key

Encrypting Data

Decrypting Data

Final Notes

Additional Resources

Watch Video

Introduction

Networking Fundamentals

Identity and Access Management (IAM)

Elastic Compute Cloud(EC2)

Storage

Load Balancing & AutoScaling

Databases

CDNs & CloudFront

Elastic Beanstalk

Containers on AWS

Application Integrations

Serverless

API Gateway

Serverless Application Model (SAM)

Security

AWS Monitoring

Data & Analytics

AWS CI/CD & Developer Tools

Miscellaneous Services

Conclusion

AWS Fundamentals

Documentation Index

​Generating a Data Key

​Encrypting Data

​Decrypting Data

​Final Notes

​Additional Resources

Watch Video

Generating a Data Key

Encrypting Data

Decrypting Data

Final Notes

Additional Resources