AWS KMS Symmetric Key — Encrypt & Decrypt Data Upto 4KB

5 min readJul 7, 2023

What is KMS Service:

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data. AWS KMS uses hardware security modules (HSM) to protect and validate your AWS KMS keys under the FIPS 140–2 Cryptographic Module Validation Program . Read More…

UseCase:

In this article, we are going to use AWS KMS key to encrypt and decrypt the data which is equal to OR less than 4096 Bytes (4KB). This data size is the limit imposed by AWS (check here….)

Prerequisites:

AWS Cli should be installed in your personal OR virtual machine.
base64 utility should be installed.
IAM role OR user credentials should be configured using AWS CLI.
AWS KMS Symmetric key should be created using console OR cli OR your own preferred way.
Either of ‘KMS Key Policy’ OR ‘IAM role/user policy’ should allow kms encrypt & decrypt permissions (Shown further in the article)

My Machine Setup:

I have already installed AWS CLI and base64 utility in my EC2 linux machine and my ec2 is already attached with IAM role (Permissions shown below), so I do not need to explicitly follow the step 3 mentioned in prerequisites. Check below:

I have also created the KMS Symmetric key using AWS Console.

As I mentioned above, either my IAM role (attached to EC2) can have below permissions. It is known as identity based policy as it is attached to my identity (IAM Role in this case).

"kms:Encrypt",
"kms:Decrypt"

OR, instead of attaching above policy to IAM role/user, you can just attach below policy to the KMS key itself (Known as resource based policy):

{
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1234567890:role/roleName"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }

Doing all this is enough for you to proceed with actual implementation steps.

Implementation:

Once all the prerequisites are met, follow below steps for encryption and decryption:

#1 Create a file with some data:

On your machine (In my case Linux machine), create a text file or a file of your choice. I have named this file as “data.txt” with below data. Make sure that the file size is less than 4KB:

In my case the file size is even less than 1KB.

#2 Encrypt the File:

Run below command to encrypt the file:

#Run Below From Linux Machine:
aws kms encrypt \
    --key-id myKMSKeyId \
    --plaintext fileb://data.txt\
    --region region \
    --output text \
    --query CiphertextBlob | base64 \
    --decode > encrypted-data.txt

##############################################
#Run Below From Windows:

aws kms encrypt \
    --key-id myKMSKeyId \
    --plaintext fileb://data.txt\
    --output text \
    --query CiphertextBlob > C:\Temp\encrypted-data.base64

certutil -decode C:\Temp\encrypted-data.base64 C:\Temp\encrypted-data

Below is the output after I executed above command(In Linux Machne). As you see I get the encrypted-data.txt file generated and having encrypted data within it!

--plaintext: Uses the --plaintext parameter to indicate the data to encrypt. This parameter value must be base64-encoded. or you must use the fileb:// in file name, so that data is automatically converted into binary data.

--output and --query: Ideally, running the kms encrypt command returns many things(a json object). These two parameters(output and query) are used to just extract the encrypted data and nothing else.

base64: Uses the base64 utility to decode the extracted output into binary data.

> encrypted-data.txt: The final part of the command ( > encrypted-data.txt) saves the binary ciphertext to a file to make decryption easier.

#3 Decrypt the File:

#Run Below From Linux Machine:

aws kms decrypt \
    --ciphertext-blob fileb://encrypted-data.txt \
    --key-id myKMSKeyId \
    --region region \
    --output text \
    --query Plaintext | base64 \
    --decode > myplaintext.txt

##############################################

#Run Below From Windows Command Prompt:

aws kms decrypt ^
    --ciphertext-blob fileb://encrypted-data.txt^
    --key-id myKMSKeyId ^
    --region region ^
    --output text ^
    --query Plaintext > myplaintext.base64

certutil -decode myplaintext.base64 myplaintext

Below is the output after I executed above command (In Linux Machine). As you see I get the myplaintext.txt file generated and having decrypted data within it!

-ciphertext-blob parameter, use the fileb:// prefix, which tells the CLI to read the data from a binary file.

Rest all the properties are same as encryption part.

Can I perform all the above with KMS — Asymmetric key aswell?

Yes, you can do the same with AWS KMS — Asymmetric key also. You just need to provide one extra command line parameter that is “ — encryption-algorithm” while running the command.

What if my file size is more than 4KB?

Lets see….

I will create a file of size 10kb.

If I now run the encrypt command then?

I get the validation exception, thrown by AWS.

So does this mean that KMS cannot handle data more than 4KB? No, its not the case, there is way known by name “Envelope Encryption”(Read My Article Here).
If you want to read about what is Envelope Encryption you can read that here.

If you liked this article, please show your appreciation by clapping 👏 below! Happy Learning!