AWS Key Management Service (AWS KMS) lets you create, manage, and control cryptographic keys across your applications and AWS services.
The service is integrated with other AWS services making it easier to encrypt data you store in these services and control access to the keys that decrypt it.
Creating KMS key. KMS > Customer managed Keys > Create key
- Install the aws-encryption-cli to encrypt and decrypt the file via CLI.
sudo apt install python3-pip
sudo pip install aws-encryprion-sdk-cli
aws-encryption-cli --version
- AWS CLI commands to encrypt the file
kannan@kannan-PC:~$ aws kms encrypt \
--key-id alias/kannan1 \
--plaintext fileb://kms.txt \
--output text \
--query CiphertextBlob | base64 \
--decode > kms_encrypt.txt
kannan@kannan-PC:~$ cat kms_encrypt.txt
x����X�[���4u|��e�J�Q0X��U�
0f0d0_ `�He.0 p����gWI�u0s *�H��
YU"� I����2$y��|e!��l�\nų���5�%�����k�~d��~e�g=�+jI�N@g6ETkannan@kannan-PC:~$
- AWS CLI commands to decrypt the file
kannan@kannan-PC:~$ aws kms decrypt \
--ciphertext-blob fileb://kms_encrypt.txt \
--key-id alias/kannan1 \
--output text \
--query Plaintext | base64 \
--decode > kms_decrypt.txt
kannan@kannan-PC:~$ cat kms_decrypt.txt
Test line for kms key
- create directory to store the encrypted and decrypted files
mkdir encrypt
mkdir decrypt
- create a variable to store the arn value which is genetrated for the KMS key
kannankey=arn:aws:kms:ap-south-1:155364343822:key/ef88420b-bbc5-4807-b1f3-c82eb5191c7f
kannan@kannan-PC:~$ cd encrypt/
kannan@kannan-PC:~/encrypt$ ls
example.txt.encrypted kms.txt.encrypted
kannan@kannan-PC:~/encrypt$ cat kms.txt.encrypted
xiCeJC�T��mb���w�����/'a8��_aws-crypto-public-keyDA9IoQRQ6f8U3WV8eoVxkQyhEZ1O/QXOXdr9L/Zx6bHP53ZEIfhYq26YJIshCIf8f8Q==aws-kmsLarn:aws:kms:ap-south-1:1550o0m0h��`�He.0���zp~0|-b*�H��807-b1f3-c82eb5191c7f�x4�u���l�\��?����<�Dya
.�K�B�w
3����>����ǔXnL��U��cj9�1���g�%uray��߳�ɗ���x��0KYf�aE����6�j�@�Ϯ6�_k�!�Q�7x<�ǯ4u��V�6��G�������Vn�v<�%j��龎�����J��vz�u%aÌ�sg0e0b(��)!��
d9�G�Ɩ�.0$����%��
V�Ϗc;_���]��fl1�{
o�檈R&\��\&��m6)L\,锌z!��S�<Ɪ,��kannan@kannan-PC:~/encrypt$
kannan@kannan-PC:~/encrypt$ cd ..
kannan@kannan-PC:~$ cd decrypt/
kannan@kannan-PC:~/decrypt$ ls
example.txt.encrypted.decrypted kms.txt.encrypted.decrypted
kannan@kannan-PC:~/decrypt$ cat kms.txt.encrypted.decrypted
Test line for kms key
We can encrypt and decrypt the S3 bucket using the KMS key
- EC2 >EBS>Volumes >create volume >enable "Encrypt this volume".
- create an S3 bucket using CLI
kannan@kannan-PC:~$ aws s3 mb s3://kannandemo-bucket
make_bucket: kannandemo-bucket
select the bucket > properties > edit default encryption
select "Server-side encryption with AWS Key Management Service keys (SSE-KMS)"
choose "Choose from your AWS KMS keys"
- It will auto encrypt and decrypt the objects inside the S3 bucket.
To delete the KMS key we need to schedule the key deletion it took minimum 7 day
Top comments (0)