Komlan Florient dogbe

Mar 21, 2021

4 min read

AWS Security: Key Management Service — use case

In this topic, i will explain from very zero with practical a key management Service which is security part of amazon web service.

It will bring you through a basic concept of encryption and decryption file.

What’s Key Management Service ?

Kms gives a way to create and manage cryptographic key through the use of aws service and application. It’s also use to protect data by encrypt and decrypt data.

I don’t want to spend more time on theoretical part, let’s jump directly to practical.

  • Step 1: Create an IAM (Identity and access management) user

Login to your amazon aws account and select iam services. In navigation menu, select access management -> user and “ add user “

For more details about Creating an IAM user in your AWS account — AWS Identity and Access Management (amazon.com) click on this links.

After creating a new user, you will have a user print in your user dashboard. Make sure to report your access key ID and secret access key for aws cli connection.

Step 2: Create keys — AWS key management service

We can create symmetric and asymmetric customer master keys in the aws management console.

During this demonstration, we have to create a symmetric key.

First select an appropriate region, In navigation pane, choose customer managed keys, create key and choose symmetric .

Make sure to choose a user create above for key administration permission and key usage permission.

Follow this links for more details: Creating keys — AWS Key Management Service (amazon.com)

Key create successfully!!!

Step 3: AWS CLI — Connect with your access key ID and access secret key

AWS Command Line Interface is a unified tool that provides a consistent interface for interacting with all services of aws.

Follow this links for Install, Update, and Uninstall the AWS CLI version 1 on Windows — AWS Command Line Interface (amazon.com).

For general use, aws configure command is the fastest way to set up aws cli installation.

Open terminal, and run aws configure.

Noticed aws cli prompts four pieces of information you have to fill. All this information will be collect on user creating process.

Step 4: Encryption and decryption

Let’s start this part with creating folder that contain file with password.

  • creation folder and file

Print content of pass.txt file with more command.

  • Symmetric encryption

Encrypt plaintext into ciphertext by using a customer master key(CMK). To encrypt data, you must be specify symmetric key to use in the encryption operation.

Used aws kms encrypt command for encryption process. it will take two argument(plaintext and key-id).

aws kms encrypt --plaintext fileb://pass.txt --key-id <Symmetric key>

output will be:

It’s mentioned encryptionAlgorithm use is Symmetric. CiphertextBlob will print a cyphertext. We will interest in the ciphertextblob, so extract it by add argument query.

Let’s redirect output into secure.txt file

Check you current folder to find secure.txt file. This file contain a ciphertext.

Warning: output for the encrypt command is on base64 encode.

Now, jump to decryption process.

  • Decryption process

Decrypt ciphertext that was encrypt by a aws customer manage key.

For more details: decrypt — AWS CLI 1.19.29 Command Reference (amazon.com)

Before decrypt file, use certutil command to decode.

Use aws kms decrypt command that take mandatory ciphettextblob argument.

In the output, plaintext is in base64 format.One and last operation to do, is to decode a plaintext into readable format.

visit this web site for base64 decode: https://www.base64decode.org/

output will be:

Congratulation !!! we have successfully encrypt and decrypt file with aws Key Management Service.

For more use case please let’s me know in comment.