What is KMS?

It stands for Key Management Service. It is used for managing encryption keys.


CMK: Customer Master Keys
Data Keys: encryption keys that can be used for encrypting data, and it can be generated using CMK

The concept is that whenever you want to encrypt the data, you create a Data Key. KMS will not store any data key. There will encryption of data key which you can store it.

When encrypting the data, you will need to first get the Data Key by decrypting the your encrypted data key. Then use it for encryption your plaintext data.

When decrypting the the data, first decrypt the encrypted data key from KMS which you will get the data key. Then you use that data key to decrypt the data.

alt text

Encryption with aws cli

We can use the aws kms cli for encryption which do all this abstraction for us.

Assuming that you have a file at /tmp/hello.txt which contain hi and hello.

The first step you need to do is to make sure that you have permissin to execute aws cli to your aws account.

Create a customer master key

aws kms create-key

Keep note of the key-id by listing keys with the following

aws kms list-keys

In my case, the key-id is a3de0f5f-a08f-4599-a9f0-e1fac4629861


aws kms encrypt --key-id a3de0f5f-a08f-4599-a9f0-e1fac4629861 --plaintext fileb:////tmp/hello.txt --query CiphertextBlob --output text | base64 -d > /tmp/hello.txt.encrypt

This assume that you have base64 commandline available within your PATH environment.


aws kms decrypt --key-id a3de0f5f-a08f-4599-a9f0-e1fac4629861 --ciphertext-blob fileb:///tmp/hello.txt.encrypt --query Plaintext --output text | base64 -d

You will get back hi and hello