zoukankan      html  css  js  c++  java
  • [AWS DA GURU] KMS and Encryption on AWS

    What is KMS

    • Managed service that makes it easy for you to create and control the encryption keys used to encrypt your data
    • Seamlessly integrated with many AWS services to make encrypting data in those services as easy as checking a box
    • With KMS, it is simple to encrypt your data with encryption keys that you manage.

     

    When do we use KMS?

    Whenver you are dealing with sensitive information.

    Sensitive data that you wnat to keep secrect.

    What is a CMK?

    CMK stands for "Customer Master Key"

    • Encrypt / decrypt data up to 4 KB;
    • Use for generate/encrypt/decrypt the data key
    • Data Key is used to encrypt / decrypt your data

    Known as Envelope Encryption.


    You need to assign KMS to a user.

    Encrypt a text file `secret.txt` output file called `encryptedsecret.txt`:

    aws kms encrypt --key-id <YOUR_KMS_KEY_ID> --plaintext fileb://secret.txt --output text --query CiphertextBlob | base64 --decode > encryptedsecret.txt

    Decrypt the encrypted file:

    aws kms decrypt --ciphertext-blob fileb://encryptedsecret.txt --output text --query Plaintext | base64 --decode > decryptedsecret.txt

    Re-encrypt an encrypt file:

    aws kms re-encrypt --destination-key-id <YOUR_KMS_KEY_ID> --ciphertext-blob fileb://encryptedsecret.txt | base64 > newencryption.txt 

    enable key rotation on yearly base

    aws kms enable-key-rotation --key-id <YOUR_KMS_KEY_ID>

    check key rotation enabled or not:

    aws kms get-key-rotation-status --key-id <YOUR_KMS_KEY_ID>

    If you need to encrypt larger than 4KB file, you need to use data key:

    aws kms generate-data-key --key-id YOURKEYIDHERE --key-spec AES_256

    For example, your lambda need to encrypt large data.

    Document abou KMS API

    Envelope Encryption

    KMS geneate CMK which use API to generate a DataKey;

    The DataKey is also called Envelope Key

    Use this Envelope key to encrypts large data (> 4KB).

    Why use Envelope Encryption

    Network

    When you can encrypt data directly KMS it musts be transferred over the network.

    Performance

    With envelope encryption, only the data key goes over the network, not your data.

    Benefits

    The data key is used locally in your application or AWS service, avoding the need to transfer large amounts of data to KMS.

    KMS create/control CMK (Customer master key)

    You can view CMK, but CANNOT manage CMK

    KMS use CMK to encrypt your data

    Envelope encryption is used to protect your encryption key, used when data is large than 4kb.

    When you encrypt your data, your data is protected, but you have to protect your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. Reference: Envelope encryption.

  • 相关阅读:
    C结构体中数据的内存对齐问题
    vs2010编译vtk5.8.0 release版本失败的解决方法
    C/C++堆、栈及静态数据区详解 (转载)
    总结一下最近一个月在深圳做的东西
    Stack overflow的问题
    完美的js验证网址url(正则表达式)
    ArrayList,Vector,LinkedList的存储性能和特性
    web程序优化
    巧用 Windows 键盘快捷键
    禁止右键
  • 原文地址:https://www.cnblogs.com/Answer1215/p/14685100.html
Copyright © 2011-2022 走看看