How to use AWS KMS to encrypt data outside of AWS

Key Takeaways

  • AWS KMS encrypts data within AWS and externally, supporting hybrid and on-premises setups with customer-managed keys (CMKs).

  • KMS offers fine-grained control over encryption keys, including key rotation, access policies, and auditing with AWS CloudTrail.

  • Use CMKs to generate data keys for encrypting large data, with best practices for managing and deleting plaintext keys.

  • The aws kms create-key command generates customer-managed keys, and the KeyId should be saved.

  • To decrypt, the encrypted data key is retrieved using the aws kms decrypt command.

AWS Key Management Service (KMS) is a cryptography service that can be used to encrypt data. AWS KMS integrates with several AWS services to help encrypt your data seamlessly. However, its usage isn’t restricted to the cloud. We can also leverage AWS KMS to encrypt and decrypt data outside of AWS, providing robust protection across on-premises and hybrid environments.

AWS KMS encryption keys

AWS KMS supports different types of encryption keys, including customer master keys (CMKs)https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html, symmetric keys, and asymmetric keys. Symmetric keys are typically used for encrypting and decrypting data with the same key, while asymmetric keys use separate public and private keys for encryption and decryption. AWS KMS also offers key management functionality, allowing you to control permissions and auditing of key usage.

Why encrypt data outside of AWS?

Encrypting data outside of AWS is necessary in various scenarios, such as in hybrid environments or when sensitive data is shared across different systems. AWS KMS can be used to encrypt data outside AWS to extend security capabilities across different infrastructures, including on-premises servers or non-AWS cloud services. This is known as off-cloud encryption, ensuring that data remains secure even if it's stored or transmitted outside AWS.

To use the encryption service, we have to start by generating a customer-managed key. One thing to remember is that KMS is not an encryption service. It is a key management service that can be used to securely and easily manage the keys used for encryption.

How does KMS work?

Here’s a brief demonstration of how KMS is used:

Step 1: Generate a KMS key

A KMS key is a core component of KMS and, as the name suggests, it is the main key used to generate or encrypt/decrypt other keys. There are two types of KMS keys:

  • AWS-managed

  • Customer-managed

In this Answer, we’ll use a customer-managed key to encrypt our data because an AWS-managed key can only be used with other AWS services.

To generate a customer-managed key, we use the aws kms create-key command. Execute this command in the terminal given below:

aws kms create-key --policy='{"Version": "2012-10-17","Id": "key-consolepolicy","Statement": [{"Sid": "Enable IAM User Permissions","Effect": "Allow","Principal": {"AWS": "*"},"Action": "kms:*","Resource": "*"}]}'

We use the policy argument in this command. Using this argument, we specify the entities that should be able to access the generated key.

A customer-managed key will be created, and you’ll get the metadata of that key as output. Copy and save the ID of the key returned as the KeyId because it will be used later.

Step 2: Generate a data key

A customer-managed key cannot be exported outside of AWS. As mentioned earlier, one of the roles of a KMS key is to encrypt/decrypt other keys, so we’ll use our CMK to generate the required data key. Data keys are used to encrypt/decrypt large amounts of data outside of AWS. These can be generated using the customer-managed key. To do that, we can use the aws kms generate-data-key command. Replace the <key_id> with the KeyId we generated previously in the following command, and execute it to generate a data key using our customer-managed key:

aws kms generate-data-key --key-id <key_id> --key-spec AES_256

We’ll get the required data key as the Plaintext, its encrypted version as the CiphertextBlob, and its ID as the KeyId in the output. Copy and save the data key and its encrypted version because they will be used later.

Step 3: Encrypt data

Now, let’s use the data key to encrypt data. We’ll start by saving the data key we got in the output of the previous command in a file using the following command. Replace the <Datakey> with the Plaintext key we generated previously, and execute this command to save the key in data_key.bin:

echo "<Datakey>" | base64 -d > data_key.bin

Now, use the save data key to encrypt hello educative using the ccrypt module. Your data key will be used as the encryption key, and no one without the data key will be able to decrypt this data. Execute the following command to encrypt hello world:

echo -n "hello educative" | ccrypt -e -k data_key.bin -f

We’ll get the encrypted data in response. Now, the best practice is to delete the plain text data key. This further secures our data as even if our system is compromised, the hacker won’t be able to decrypt the encrypted data because the only version of the encryption key available is the encrypted one. When we want to decrypt the encrypted data, we’ll first use AWS KMS to decrypt our data key and then use that plain text data key to decrypt our data. To decrypt the encrypted data key, we can use the aws kms decrypt command. Replace the <Encryptedkey> in the command below with the encrypted data key, CiphertextBlob, we got while creating the data key, <key_id>, using the ID of the customer-managed key we got as an output of the first command. Then, execute the command to see the result.

aws kms decrypt --ciphertext-blob "<Encryptedkey>" --key-id "<key_id>"

We’ll get a data key in response. This will be the same as our original data key, so we can use it to decrypt the encrypted data.

Similarly, if we want to transmit this data somewhere, we’ll send the encrypted key with the data and not the plain text key. The receiver will then first decrypt that key using the customer-managed key that was used to create this key and then decrypt the data using the decrypted key.

Similarly, we can encrypt files with slight modifications in this command. Let’s see how we can do that.

First, create a text file using the command given below:

echo "hello educative" > data_file.txt

Now that you have the file you want to encrypt use the following command to encrypt this file:

ccrypt -e -k data_key.bin data_file.txt

After you’ve successfully encrypted your file, the .cpt extension will be prepended to your file name, indicating that your file is now encrypted.

Practice

Run the commands given above using this widget. Enter your AWS access_key_id and secret_access_key in the widget below before running any commands. If you don’t have these keys, follow the steps in the official documentation to generate the keys.

Note: The IAM user whose credentials are being used must have the permissions to perform all the required actions.

Terminal 1
Terminal
Loading...

AWS KMS key rotation

AWS KMS supports automatic key rotation, which can be configured to rotate encryption keys. Rotating keys reduces the risk of exposure, and AWS KMS ensures that old encrypted data can still be decrypted with the new key version.

Security best practices for using AWS KMS outside AWS

Following are some of the best practices for using AWS KMS

  • Limit key access: Restrict who can use encryption keys with IAM policies.

  • Use key rotation: Regularly rotate encryption keys to reduce the risk of data compromise.

  • Audit key usage: Use AWS CloudTrail to track the use of encryption keys.

  • Encrypt keys at rest: Always store the data encryption keys in their encrypted form.

AWS KMS pricing

AWS KMS charges a monthly fee per active or rotated key, and there are additional charges per KMS API request (Encrypt, Decrypt, GenerateDataKey, etc.).

Frequently asked questions

Haven’t found what you were looking for? Contact Us

AWS KMS vs. Secrets Manager

While both AWS KMS and AWS Secrets Manager manage sensitive information, they serve different purposes. AWS KMS is designed for key management and encryption, while Secrets Manager focuses on securely storing and retrieving sensitive information like passwords or API keys. KMS encrypts and manages keys, but Secrets Manager automates the rotation of secrets and integrates directly with AWS services.

Can you encrypt data stored in any service that is supported by AWS KMS including?

To enable data encryption within your own applications wherever they run, AWS KMS is supported in AWS SDKs, AWS Encryption SDK, the Amazon DynamoDB Client-side Encryption, and the Amazon Simple Storage Service (S3) Encryption Client.

What are the disadvantages of AWS KMS?

AWS KMS can become costly with per-API call charges and key management costs. It is region-specific, may introduce latency in high-traffic applications, and lacks flexibility in algorithm support and external usage.

Free Resources

Copyright ©2024 Educative, Inc. All rights reserved

Learn in-demand tech skills in half the time

PRODUCTS

Mock Interview

New

Courses

Skill Paths

Projects

Assessments

TRENDING TOPICS

Learn to Code

Tech Interview Prep

Generative AI

Data Science

Machine Learning

GitHub Students Scholarship

Early Access Courses

Blind 75

Layoffs

Pricing

For Individuals

Try for Free

Gift a Subscription

CONTRIBUTE

Become an Author

Become an Affiliate

Earn Referral Credits

RESOURCES

Blog

Cheatsheets

Webinars

Answers

ABOUT US

Our Team

Careers

Hiring

Frequently Asked Questions

Contact Us

Press

LEGAL

Privacy Policy

Cookie Policy

Terms of Service

Business Terms of Service

Data Processing Agreement

INTERVIEW PREP COURSES

Grokking the Modern System Design Interview

Grokking the Product Architecture Design Interview

Grokking the Coding Interview Patterns

Machine Learning System Design

Tiktok Streamline Icon: https://streamlinehq.com

Copyright ©2024 Educative, Inc. All rights reserved.

soc2