What is KMS

  • Managed service that makes it easy for you to create and control the encryption keys used to encrypt your data
  • Seamlessly integrated with many AWS services to make encrypting data in those services as easy as checking a box
  • With KMS, it is simple to encrypt your data with encryption keys that you manage.


When do we use KMS?

Whenver you are dealing with sensitive information.

Sensitive data that you wnat to keep secrect.


What is a CMK?

CMK stands for "Customer Master Key"

  • Encrypt / decrypt data up to 4 KB;
  • Use for generate/encrypt/decrypt the data key
  • Data Key is used to encrypt / decrypt your data

Known as Envelope Encryption.


[AWS DA GURU] KMS and Encryption on AWS_AWS

[AWS DA GURU] KMS and Encryption on AWS_sed_02

[AWS DA GURU] KMS and Encryption on AWS_sed_03



You need to assign KMS to a user.

Encrypt a text file `secret.txt` output file called `encryptedsecret.txt`:

aws kms encrypt --key-id <YOUR_KMS_KEY_ID> --plaintext fileb://secret.txt --output text --query CiphertextBlob | base64 --decode > encryptedsecret.txt


Decrypt the encrypted file:

aws kms decrypt --ciphertext-blob fileb://encryptedsecret.txt --output text --query Plaintext | base64 --decode > decryptedsecret.txt


Re-encrypt an encrypt file:

aws kms re-encrypt --destination-key-id <YOUR_KMS_KEY_ID> --ciphertext-blob fileb://encryptedsecret.txt | base64 > newencryption.txt 


enable key rotation on yearly base

aws kms enable-key-rotation --key-id <YOUR_KMS_KEY_ID>


check key rotation enabled or not:

aws kms get-key-rotation-status --key-id <YOUR_KMS_KEY_ID>


If you need to encrypt larger than 4KB file, you need to use data key:

aws kms generate-data-key --key-id YOURKEYIDHERE --key-spec AES_256

For example, your lambda need to encrypt large data.


Document abou KMS API


[AWS DA GURU] KMS and Encryption on AWS_sed_04

[AWS DA GURU] KMS and Encryption on AWS_AWS_05


Envelope Encryption

KMS geneate CMK which use API to generate a DataKey;

The DataKey is also called Envelope Key

Use this Envelope key to encrypts large data (> 4KB).

[AWS DA GURU] KMS and Encryption on AWS_sed_06


Why use Envelope Encryption


When you can encrypt data directly KMS it musts be transferred over the network.


With envelope encryption, only the data key goes over the network, not your data.


The data key is used locally in your application or AWS service, avoding the need to transfer large amounts of data to KMS.


KMS create/control CMK (Customer master key)

You can view CMK, but CANNOT manage CMK

KMS use CMK to encrypt your data

Envelope encryption is used to protect your encryption key, used when data is large than 4kb.

When you encrypt your data, your data is protected, but you have to protect your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. Reference: Envelope encryption.

[AWS DA GURU] KMS and Encryption on AWS_sed_07

[AWS DA GURU] KMS and Encryption on AWS_sed_08

[AWS DA GURU] KMS and Encryption on AWS_AWS_09