If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees. I have created this article in a question-and-answer format to save readers time. I started with What KMS is, and the different types of keys, and covered the depth of Envelope Encryption and its implementation What is KMS? AWS KMS is a managed service that allows the , , and of the ENCRYPTION keys and it uses the HSMs to protect the security of the keys. creation management control It’s a multi-tenant hardware It doesn’t have any upfront cost and a pay-as-you-go model. It supports and keys Symmetric Asymmetric By default, AWS KMS creates the key material for a KMS key. You cannot extract, export, view, or manage this key material. Also, you cannot delete this key material; you must . delete the KMS key AWS KMS also supports , which let you encrypt data in one AWS Region and decrypt it in a different AWS Region. multi-region keys AWS KMS Keys AWS KMS keys are the primary resource in AWS KMS. You can use a KMS key to encrypt, decrypt, and re-encrypt data. It can also generate data keys that you can use outside of AWS KM An is a logical representation of an encryption key. AWS KMS key In addition to the key material used to encrypt and decrypt data, a KMS key includes metadata, such as the key ID, creation date, description, and key state. You create KMS keys in AWS KMS. . Symmetric KMS keys and the private keys of asymmetric KMS keys never leave AWS KMS unencrypted By default, AWS KMS creates the key material for a KMS key. You cannot extract, export, view, or manage this key material. Also, you cannot delete this key material; you must . delete the KMS key However, you can into a KMS key or create the key material for a KMS key in the AWS CloudHSM cluster associated with an . import your key material AWS KMS custom key store AWS KMS also supports , which let you encrypt data in one AWS Region and decrypt it in a different AWS Region. multi-region keys What are the steps to create CMK in KMS? Here, we go ahead and create Keys. Alias helps us reference the keys if we have multiple KMS Keys Create KMS Key: We define Key Administrators with full permission on the key. Create Key Administrator: We define Key Usage Permission as who will have access to use this key for Encryption and Decryption. Create Key Usage Permission: AWS will generate the Key policy. Accordingly, you just verify and click “Finish “ Verify the Key policy: How can you Encrypt data using CMK from KMS? Step 1: Plain text to Base64 Encrypted CipherText Step 2: Base64 Encoded file to Binary Encoded File The plaintext secret is provided as an option to the KMS Encrypt command via: ‘ — plaintext file://secrets.json’ KMS Encrypt encrypts the plaintext AWS KMS Encodes the result to Base64. The Base64 encoded ciphertext is returned in JSON format. Ordinarily, the standard AWS encrypt command will just return the results in JSON to the terminal, and the process would stop here. The Base64 encoded ciphertext contained in the CiphertextBlob of the JSON results is decoded to binary. The binary results are saved to a file How can you Decrypt using KMS? Step 1: Decrypt the Cipher Text and Encoded into Base 64 Step 2: Finally, base64 is decoded into plaintext The following diagram shows the steps: Encryption Context All AWS KMS cryptographic operations with accept an encryption context, an optional set of key-value pairs that can contain additional contextual information about the data. symmetric CMKs AWS KMS uses the encryption context as additional authenticated data (AAD) to support authenticated encryption. You specify an encryption context in a cryptographic operation with an . The standard asymmetric encryption algorithms that AWS KMS uses do not support an encryption context. cannot asymmetric CMK When you include an encryption context in an encryption request, it is cryptographically bound to the ciphertext such that the same encryption context is required to decrypt (or decrypt and re-encrypt) the data. If the encryption context provided in the decryption request is not an exact, case-sensitive match, the decrypted request fails. Only the order of the key-value pairs in the encryption context can vary. The encryption context is not secret. It appears in plaintext in AWS CloudTrail Logs so you can use it to identify and categorize your cryptographic operations. KMS Limitation We can encrypt a maximum of of data with CMK. Since data travels over the network, there can be latency issues. 4 KB Steps to use your KEY MATERIAL in KMS A customer master key (CMK) contains the key material used to encrypt and decrypt data. When we create a CMK, by default, AWS creates key material for that CMK. However, we do have the option to create a CMK without key material and then import our key material into the CMK. The following are the main steps to use your key material to create CMK: a. Create a “ with key material — To get started with importing key material, first create a symmetric CMK whose origin is . symmetric CMK” NO EXTERNAL NOTE: You use A CAN NOT symmetric CMK to use your key material This indicates that the key material was generated outside of AWS KMS and prevents AWS KMS from generating key material for the CMK. In a later step, you will import your key material into this CMK. b. Download the — After completing step a, download a wrapping key and an import token. These items protect the import of your key material to AWS KMS. wrapping key and import token c. Encrypt the wrapping key material — Use the that you downloaded in step to encrypt the key material that you created on your system. wrapping key b If you use OPEN SSL, the following commands will be used to create key material: OpenSSL rand -out PlantextKeyMaterial.bin 32 OpenSSL rsautl -encrypt -in PlantextKeyMaterial.bin -oaep -inkey -keyform DER -pubin -out EncryptedMaterial.bin wrappingKey_65803750–222b-413a-ac0d-3bab20a77630_04202211 d. Import the key material — Upload the that you created in step and the that you downloaded in step c. Encrypted key material c import token What happened if you accidentally deleted the imported key material in CMK? When you import key material, you have the option of specifying a time at which the key material expires. When the key material expires, AWS KMS deletes the key material, and the customer master key (CMK) becomes unusable. You can also delete key material on demand. Whether you wait for the key material to expire or you delete it manually, the effect is the same. AWS KMS deletes the key material, the CMK’s key state changes to the pending import, and the CMK is unusable. To use the CMK again, you must reimport the same key material. You can download the and import the original key material into the existing CMK. new wrapping key and import the token NOTE: You use the Wrapping key and import token. It needs to be a . CAN NOT Original NEW wrapping key and import token Why do you need to import your Key material? Prove that randomness meets your requirements (Company Compliance) To be able to delete key material without a 7–30 days wait. Then be able to import them again To be resilient to AWS failure by storing keys outside of AWS Deleting CMK Deleting CMK in AWS KMS would delete the key material and all the associated metadata associated with the CMK. This process is irreversible. After CMK is deleted, we can no longer decrypt the data that was encrypted by that CMK. Before it is an irreversible process, AWS KMS enforces a waiting period. The waiting period can be from a minimum of . The default is . 7 days to up to a maximum of 30 days 30 During the waiting period, CMK cannot be used in any cryptographic operation. Types of KMS Keys Customer Master Keys (CMK) AWS Managed Customer Master Keys (CMK) in KMS (here the key material is ) Customer Managed generated by AWS Customer Generate Keys in KMS with External Key Material AWS Owned CMK — NOTE this is not as same as AWS-managed Keys KMS Key Rotation The following chart summarizes the key differences and similarities between AWS-managed CMKs and customer-managed CMKs. Automatic Key Rotation is not supported in the following types: Asymmetric CMKs CMKs in custom key stores CMKs that have imported key material CMK AWS Owned KMS Access Control In KMS, by default, all the CMKs have a key policy attached to them. We can control access to KMS CMK using the following three ways: i) Using Key Policies ii) Using IAM Policy in combination with key policies iii) Using KMS Grants What is KMS Grant? Grant is like a secret token. It provides (encrypt, decrypt, re-encrypt, describe key) temporary and granular permission A Grant programmatically delegates the use of your CMK to the user in your account or another account Using Grants, you can the access and you CAN PERFORM EXPLICIT ONLY ALLOW NOT DENY Create-grant — adds a grant and defines the operations the grantees can perform User Key policies for relatively static permissions, or explicit deny KMS ViaService Using to — eg. S3, RDS, EBS, Lambda, SQS, SSM, etc. kms:ViaService allow or deny access to your CMK according to which service originates the request KMS Cross-Account Access 2 policies need to be updated. KMS Key Policy IAM Policy Step 1: Enable access in the Key Policy for the account which owns the CMK Step 2: Enable access to KMS in the IAM Policy for the external account Let’s look at an example: Step 1: Change the key policy for the CMK in account 44445555666 Step 2: Add an IAM policy for the users or roles in account 111122223333 KMS Custom Key Store and Default Key Store : AWS-managed KMS keys that are created on your behalf by other AWS services to encrypt your data are always generated and stored in the AWS KMS default key store. KMS default key store Only can be stored and managed in an AWS KMS custom key store. KMS custom key store: customer-managed KMS keys Required Key Policy for public key Encryption and Decryption Remember the actions. Okay, time for Envelope Encryption When you want to encrypt any data that is higher than 4 KB. then we need to use Envelope Encryption. Envelope Encryption is the practice of encrypting plaintext data with a data key and encrypting the data key under another key. It is a process where you encrypt plaintext data with a DATA KEY and then encrypt the DATA KEY with a top-level plaintext MASTER KEY. Steps to create Envelope Encryption Step 1: The user will create a Customer Master Key in KMS. Step 2: Generate a using the CMK. (GenerateDataKey API Call) Data Key Step 3: GenerateDataKey return the following two keys: and Plaintext Data Key Encrypted Data Key Step 4: The user will use the to Encrypt the Actual data using KMS and after Encryption make sure to delete the Plaintext Data Key Plaintext Data Key Step 5: Now, we have Encrypted Data and if we want to decrypt the data, we need to send the to KMS and it will return the Encrypted Data Key Plaintext Data Key Step 6: Using the , and Decrypted data we can decrypt the data in KMS. Plaintext Data Key Important points to remember will generate the following two keys: and GenerateDataKey Plaintext Data Key Encrypted Data Key Plain text will be encrypted using the Plaintext Data Key After deleting the , we can get it by using the . We need to send it to KMS to Decrypt it. Plaintext Data Key Encrypted Data Key Encrypted Data will be decrypted using the Plaintext Data Key NOTE: Consider a scenario you are asked that the API must return the encrypted copy of the data key which will be used later for encryption. Then you will have to choose This will return only the only **GenerateDataKeyWithoutPlaintext** Encrypted Data Key Data Key Caching AWS has recently introduced a feature called “Data Key Caching” in its AWS Encryption SDK. Data key caching lets us reuse the data keys that protect our data, instead of generating new data keys for each of the encryption operations. This comes with security tradeoffs, as the encryption best practices discourage extensive re-use of the data keys. In AWS Encryption SDK, by default, there is a operation that is performed. new data key generated for each encryption Important Pointers for Data Key Caching Data key caching saves the plaintext and ciphertext of the data keys you use in a configurable cache. When you need a key to encrypt or decrypt data, you can reuse a data key from the cache instead of creating a new data key. It is preferred to use data-key caching when there is high frequency needed, the latency involved, and slow master key operations. KMS Migration KMS Keys are . region-specific (NOT ANYMORE) We cannot call a KMS CMK from one region for services in different regions. If you copy an encrypted snapshot within the same AWS Region, you can encrypt the copy with the same KMS encryption key as the original snapshot, or you can specify a different KMS encryption key. For cross-region, we use the same KMS key as a snapshot. Instead, we must specify a different KMS CMK that belongs to the destination region. cannot If you have been using envelope encryption and have encrypted data with data keys, then you will have to decrypt all those data before migrating to a different region We CAN NOT use KMS to generate a public key/ private key to log in to EC2. We CAN NOT use EC2 key pair to encrypt EBS volumes, we must use KMS or 3rd party application/tools KMS through a VPC endpoint You can connect directly to AWS KMS through a private endpoint in your VPC instead of connecting over the internet. When you use a VPC endpoint, communication between your VPC and AWS KMS is conducted entirely within the AWS network. AWS KMS supports (Amazon VPC) that are powered by Amazon Virtual Private Cloud interface endpoints AWS PrivateLink

Amazon

Read My Stories

Too Long; Didn't Read

Make resilience your competitive advantage

A Deep Dive Into AWS Key Management Service (KMS)

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

101 Stories To Learn About Cloud Infrastructure

10 Things in Engineering We Don't Spend Enough Time On

10 Things I Did To Increase CloudTrail Logs Security

10 reasons to give cloud computing a go

10 Lessons from 10 Years of AWS (part 2)

101 Stories To Learn About Cloud Infrastructure

10 Things in Engineering We Don't Spend Enough Time On

10 Things I Did To Increase CloudTrail Logs Security

10 reasons to give cloud computing a go

10 Lessons from 10 Years of AWS (part 2)

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps