What is KMS
- Managed service that makes it easy for you to create and control the encryption keys used to encrypt your data
- Seamlessly integrated with many AWS services to make encrypting data in those services as easy as checking a box
- With KMS, it is simple to encrypt your data with encryption keys that you manage.
When do we use KMS?
Whenver you are dealing with sensitive information.
Sensitive data that you wnat to keep secrect.
What is a CMK?
CMK stands for "Customer Master Key"
- Encrypt / decrypt data up to 4 KB;
- Use for generate/encrypt/decrypt the data key
- Data Key is used to encrypt / decrypt your data
Known as Envelope Encryption.
You need to assign KMS to a user.
Encrypt a text file `secret.txt` output file called `encryptedsecret.txt`:
aws kms encrypt --key-id <YOUR_KMS_KEY_ID> --plaintext fileb://secret.txt --output text --query CiphertextBlob | base64 --decode > encryptedsecret.txt
Decrypt the encrypted file:
aws kms decrypt --ciphertext-blob fileb://encryptedsecret.txt --output text --query Plaintext | base64 --decode > decryptedsecret.txt
Re-encrypt an encrypt file:
aws kms re-encrypt --destination-key-id <YOUR_KMS_KEY_ID> --ciphertext-blob fileb://encryptedsecret.txt | base64 > newencryption.txt
enable key rotation on yearly base
aws kms enable-key-rotation --key-id <YOUR_KMS_KEY_ID>
check key rotation enabled or not:
aws kms get-key-rotation-status --key-id <YOUR_KMS_KEY_ID>
If you need to encrypt larger than 4KB file, you need to use data key:
aws kms generate-data-key --key-id YOURKEYIDHERE --key-spec AES_256
For example, your lambda need to encrypt large data.
Envelope Encryption
KMS geneate CMK which use API to generate a DataKey;
The DataKey is also called Envelope Key
Use this Envelope key to encrypts large data (> 4KB).
Why use Envelope Encryption
Network
When you can encrypt data directly KMS it musts be transferred over the network.
Performance
With envelope encryption, only the data key goes over the network, not your data.
Benefits
The data key is used locally in your application or AWS service, avoding the need to transfer large amounts of data to KMS.
KMS create/control CMK (Customer master key)
You can view CMK, but CANNOT manage CMK
KMS use CMK to encrypt your data
Envelope encryption is used to protect your encryption key, used when data is large than 4kb.
When you encrypt your data, your data is protected, but you have to protect your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. Reference: Envelope encryption.
