What is KMS?
It stands for Key Management Service. It is used for managing encryption keys.
Terms
CMK: Customer Master Keys
Data Keys: encryption keys that can be used for encrypting data, and it can be generated using CMK
The concept is that whenever you want to encrypt the data, you create a Data Key. KMS will not store any data key. There will encryption of data key which you can store it.
When encrypting the data, you will need to first get the Data Key by decrypting the your encrypted data key. Then use it for encryption your plaintext data.
When decrypting the the data, first decrypt the encrypted data key from KMS which you will get the data key. Then you use that data key to decrypt the data.
Encryption with aws cli
We can use the aws kms cli for encryption which do all this abstraction for us.
Assuming that you have a file at /tmp/hello.txt which contain hi and hello.
The first step you need to do is to make sure that you have permissin to execute aws cli to your aws account.
Create a customer master key
aws kms create-key
Keep note of the key-id by listing keys with the following
aws kms list-keys
In my case, the key-id is a3de0f5f-a08f-4599-a9f0-e1fac4629861
Encrypt
aws kms encrypt --key-id a3de0f5f-a08f-4599-a9f0-e1fac4629861 --plaintext fileb:////tmp/hello.txt --query CiphertextBlob --output text | base64 -d > /tmp/hello.txt.encrypt
This assume that you have base64 commandline available within your PATH environment.
Decrypt
aws kms decrypt --key-id a3de0f5f-a08f-4599-a9f0-e1fac4629861 --ciphertext-blob fileb:///tmp/hello.txt.encrypt --query Plaintext --output text | base64 -d
You will get back hi and hello