AWS KMS HANDS ON TUTORIAL

AWS KMS HANDS ON TUTORIAL

In this article, you will learn what is KMS, different types of keys in KMS.

 

Use Cases of AWS KMS:

AWS KMS is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. The customer master keys that you create in AWS KMS are protected by hardware security modules or HSMs.

So what are some of the features of KMS:

  • It is fully managed
  • It is a centralized key management
  • Integration with other AWS Services
  • Secure and Compliant

AWS KMS has been certified under multiple schemes to simplify your own compliance obligations.

There are two types of keys that are supported by the AWS KMS service, which are Customer Master Key and Data Key. So will understand the difference between them. We will see that how do they come together and work and all of such things. I will show how you create your own Customer Master Key and how can you generate a data key as well.

Types of Encryption:

  • Symmetric Encryption: In the case of symmetric encryption what happens is the key which you use to encrypt the data same key is used to decrypt the data as well. That’s why the name is symmetric, the same key is being used for encryption and decryption.
  • Asymmetric encryption: In asymmetric encryption, there are two keys. You can use the public key to encrypt the data and then there will be the private or secret key that you will use to decrypt the data.

Master Key: A key created by AWS KMS that can only be used within the AWS KMS service. The master key is commonly used to encrypt data keys so that the encrypted key can be securely stored by your service. However, AWS KMS master key can also be used to encrypt or decrypt arbitrary chunks of data that are no greater than 4 KiB. Customer master keys are created by a customer for use by a service or application. AWS managed keys are the default keys used by AWS services that support encryption.

Data Key: A symmetric key generated by AWS KMS for your service. Inside of your service or application, the data key is used to encrypt or decrypt data. It can be considered a resource by a service or application.

How to Encrypt Data?

  • Use OpenSSL or AWS Encryption SDK to encrypt data using data keys outside AWS.
  • Encrypt data using Plaintext data key.
  • Never store Plaintext close to encrypted data by removing it from memory ASAP.

How to Decrypt Data?

  • Call KMS API with the Encrypted data key
  • KMS will send the Plaintext Key
  • Use the Plaintext Key to decrypt the encrypted data

Data Encryption:

Data Encryption is vital if you have sensitive data that must not be accessed by unauthorized users.

If you stored your data in plain text the hacker can do whatever he wants with the data and usually guys don’t do good things with it. But if the data had been encrypted the hacker would have a hard time decrypting that data even if he hacked your database server. So Encryption is vital especially if you are dealing with sensitive data. And also encryption is highly recommended for a security by design architectures.

Two main methods to implement Encryption at-rest

  • Client-side Encryption
  • Server-side Encryption

The first one is client-side encryption where you can encrypt your data at the client-side and send all the way to the server or any backend services like S3, EBS, Redshift etc.

The second method is server-side encryption. In server-side encryption you let your backend services to let your data and manage those keys on your behalf.

So in client-side encryption you encrypt the data and manage your own keys and also you can use kms as a key management infrastructure. If you don’t want to use kms you can manage it by yourself.

In server-side encryption you let AWS to manage your keys for you. Most AWS services like S3, EBS, Redshift provides server-side encryption and they also use kms behind the scenes.

So the point I want to highlight is that kms is used in both, server-side encryption as well as in client-side encryption.

Types of customer-managed keys:

In AWS KMS there are three types Customer Managed keys.

  • AWS managed default CMK keys : Free
  • User keys created in kms : $1 per month
  • user keys imported which must be 256bit symmetric keys:$1/month  

For details pricing, go through this link: https://aws.amazon.com/kms/pricing/

 

DEMO

Now we will see how to encrypt environment variable through KMS key:

So let’s go to the lambda function and click on create function.

Give your function name and choose your language. And in permission select create a new role with basic lambda function.

Then click on create function.

In that time we created a Customer Managed Key, named tutorial.

The idea here is we want to leverage this tutorial key to encrypt an environment variable so that it’s securely passed on to our lambda functions.

So in my lambda function we want to able to pass a database password into it so we can connect to my database.

For now we want to encrypt our environment variables Key and Value through our AWS console.

When our lambda function is created go to environment variables section and click on edit.

We have to enable helpers for encryption in transit. This is going to enable this Encryption button in here. And also we need to put the Key and Value in this section.

Then click on Use a customer master key that we are going to specify called tutorial.

So we are going to click on Encrypt and then we are going to this tutorials key to encrypt my environment variable.

Then click on Decrypt secrets snippet. And then we are going to be able to get this snippet of code as well. So we are going to copy this first snippet of code.

Chose our KMS key to encrypt in transit with and then we are going to click on Encrypt button.

So now my environment variable is fully encrypted, and this is a very long encrypted value of stuff.

Now we are going to use our snippet of code in our lambda function.

In code we have a decrypted version, which is to use the boto3 client which is the SDK for python on AWS.

Next, save this.

Now going to test the code and giving Event name and then click on Create.

After that we need the decrypt operation in our IAM role to decrypt the value.

So, go to your configuration tab and click on permission and select your role.

Giving our IAM role the Decrypt permission.

Now save the IAM policy and come back to lambda console.

Now test the code, as well as deploy. 

So, we can see the output. We can see our encrypted environment variable and our decrypted variable.

Here i will show you how to encrypt and decrypt a plaintext file that contains confidential information using AWS CLI .

Requirements:

  1. If running on local system , make sure to use an aws profile which has atleast kws encrypt and decrypt permissions
  2. If running on aws ec2, make sure the attached IAM role has kms permissions .

Steps:

We have a plaintext file in current directory called text.txt, which has some text. We encrypt it using cli

We use the aws kms encrypt and paases the various parameters which are as follows –

  1. We specify a region as kms key are region based
  2. We mention the kms key using –key-id and key arn
  3.  The  fileb://  prefix  instructs  the  CLI  to  read  the data to encrypt, called the plaintext, from a file and  pass  the  file’s contents  to  the command’s –plaintext parameter
  4. we extract the encrypted data, called  the  cipher-text, from the command’s output. by using the  –output  and –query parameters to control the command’s output.
  5. We use the base64 utility to decode the extracted output.The ciphertext  that  is  returned by a successful encrypt command is base64-encoded text which must be decoded  before it can be  used  the AWS CLI to decrypt it.
  6. Finally we save the binary ciphertext to a file (> ExamplesecretEncrypted)
  • Now we decrypt the encrypted file
  1. We use the fileb:// prefix to specify the –ciphertext-blob parameter. The fileb:// prefix instructs the CLI to read the encrypted data, called  the  ciphertext, from a file and pass the file’s contents to the command’s –ciphertext-blob parameter.
  2. The –output and –query parameters   extract  the decrypted data, called the plain- text, from the command’s output.
  3. The base64 utility decodes the extracted plaintext to binary data.  The plaintext  that  is  returned  by a successful decrypt command is base64-encoded text. It must be decoded  to obtain  the original plaintext.

Thank You.

 

Leave a Reply

Your email address will not be published. Required fields are marked *