Saturday, May 14, 2022

AWS - KMS (Key Management Service)


  It is used for the encryption and decryption of data in the AWS environment



If the same key is used to encrypt or decrypt the data.


If a different key(public key) is used for encryption and a different key(private key) is used for decryption.

AWS Master keys

These are master keys that are managed by AWS for its service's encryption like SNS, EBS.

Customer master key(<4kb)

These master keys are created by a user for encryption and decryption.

Steps to Create Customer KMS

1. Create a user who owns the cmk(customer master key) ( Note down Access key and secret key)

2. Crate a user who uses this cmk

3. Create a KMS key using KMS service in AWS 

    Create Symmetric key

    Provide ownership to a user

    Provide user name who uses this key

4. Create an EC2 instance and configure user which will have the ownership/usage of KMS keys.

5. Connect to EC2 instance and configure Accesskey and Secret key.

6. Run following commands

  • echo "Hello AWS!!" > secret.txt
  • aws kms encrypt --key-id YOURKEYIDHERE --plaintext fileb://secret.txt --output text --query CiphertextBlob | base64 --decode > encryptedsecret.txt

  • aws kms decrypt --ciphertext-blob fileb://encryptedsecret.txt --output text --query Plaintext | base64 --decode > decryptedsecret.txt

  • aws kms re-encrypt --destination-key-id YOURKEYIDHERE --ciphertext-blob fileb://encryptedsecret.txt | base64 > newencryption.txt 

  • aws kms enable-key-rotation --key-id YOURKEYIDHERE

  • aws kms get-key-rotation-status --key-id YOURKEYIDHERE

  • aws kms generate-data-key --key-id YOURKEYIDHERE --key-spec AES_256


Post a Comment