AWS KMS Symmetric Key — Encrypt & Decrypt Data More Than 4KB
UseCase:
In this article, we are going to implement the steps to encrypt and decrypt large data(More than 4096 Bytes (4KB)) using AWS KMS Key, which intern uses envelop encryption(Read My Article here).
For encrypting data less than 4KB (Passwords, small files) follow this article.
Prerequisites:
- AWS Cli should be installed in your personal OR virtual machine.
- base64 utility should be installed.
- IAM role OR user credentials should be configured using AWS CLI.
- AWS KMS Symmetric key should be created using console OR cli OR your own preferred way.
- Either of ‘KMS Key Policy’ OR ‘IAM role/user policy’ should allow kms GenerateDataKey, encrypt & decrypt permissions (Shown further in the article)
- Data file with size greater than 4KB.
My Machine Setup:
I have already installed AWS CLI and base64 utility in my EC2 linux machine and my ec2 is already attached with IAM role (Permissions shown below), so I do not need to explicitly follow the step 3 mentioned in prerequisites. Check below:
I have also created the KMS Symmetric key using AWS Console.
As I mentioned above, either my IAM role (attached to EC2) can have below permissions. It is known as identity based policy as it is attached to my identity (IAM Role in this case).
"kms:GenerateDataKey",
"kms:Encrypt",
"kms:Decrypt"OR, instead of attaching above policy to IAM role/user, you can just attach below policy to the KMS key itself (Known as resource based policy):
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:role/IAMroleName"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}Doing all this is enough for you to proceed with actual implementation steps.
Implementation (Encryption):
Once all the prerequisites are met, follow below steps for encryption of large data:
#1. Generate Data Key Using KMS
Let’s generate Data key using CMK we generated earlier. It returns Data Key (Plaintext) and Encrypted Data key (CiphertextBlob).
Read more about what is data key here…
aws kms generate-data-key --key-id <kms_key_id> --key-spec AES_256 --region <region>
#2. Decode Base64 encoded Data Key
The Data Key (Plaintext) and Encrypted Data key(CiphertextBlob) generated above are Base64 encoded. Let’s decode just the Plaintext:
echo '<Plaintext_Output_Above>' | base64 --decode > ./plain_data_key.txt
#3. Encrypt Data/file using Plaintext Data Key
Let’s encrypt actual data using Decoded plaintext data key. I have a file with size 8.6KB available in my EC2 instance.
openssl enc -e -aes256 -in data.txt -k plain_data_key.txt > encrypted_data.txtI get the encrypted_data.txt file as output with encrypted binary data.
#4. Wrapping up steps for encryption
- Now, the encryption is complete. You can remove your “Plaintext” data key so that it is not misused by anyone.
- Store your Encrypted data key (CiphertextBlob) (generated as part of step #1) at some safe place (Secret manager etc) so that it can be used in future for decryption.
Implementation (Decryption):
Let’s follow below steps for decryption of encrypted data:
#1. Decode “CiphertextBlob”
echo '<CiphertextBlob>' | base64 --decode > ./encrypted_data_key.txt
#2. Decrypt Encrypted Data Key
Now, we have to decrypt the data key using the Parent KMS key, using which the data key was generated (KMS Symmetric Key in my case).
aws kms decrypt --key-id <kms_key_id> --ciphertext-blob fileb:///root/kms/encrypted_data_key.txt --region <region>
#3. Decode Base64 encoded Plaintext Data Key
Same way as we did for encryption, we have to decode the “Plaintext” key:
echo '<Plaintext_Output_Above>' | base64 --decode > ./decrypted_plain_data_key.txt
#4. Decrypt actual data
Now is the time to decrypt actual data using “decrypted_plain_data_key.txt”
openssl enc -d -aes256 -in encrypted_data.txt -k decrypted_plain_data_key.txtAnd I get the data back:
That is it! Now you can again remove the “plaintext” data key.
If you liked this article, please show your appreciation by clapping 👏 below! Happy Learning!
