Can I use AWS KMS encryption for client side encryption in Android?

Question

There is no method for KMS encryption in Android AWS SDK. On the server side we use KMSEncryptionMaterialsProvider to create AmazonS3EncryptionClient object, but this class is not available in Android SDK. I tried using the Java SDK in my Android project but it threw an exception

Code:

KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(kms_cmk_id);
encryptionClient = new AmazonS3EncryptionClient(new ProfileCredentialsProvider(), materialProvider,
                new CryptoConfiguration())
            .withRegion(Region.getRegion(Regions.US_WEST_2));

Exception

Caused by: java.lang.ClassNotFoundException: Didn't find class "javax.management.MBeanServerFactory" on path: DexPathList

Answer 1

Yes, it is possible. I'll give you three options, but all of them require getting your hands a little dirtier.

Option 1: You can derive your own implementation of a KMS Encryption Materials Provider. Even though that specific class (and likely some of its dependencies) are not present in the AWS Android SDK, you have the interface you need on the SDK: EncryptionMaterialsProvider. It should be possible to implement your own provider based on that.

Option 2: Use the KMS Client provided in the Android SDK to retrieve your own encryption materials from KMS and then pass a StaticEncryptionMaterialsProvider to the S3 client.

Option 3: Deal with encryption/decryption yourself. It's technically possible for you to retrieve the encryption materials using the KMS client, and then follow the KMS guidance on the official documentation to encrypt/decrypt your data. Please just do this if you are comfortable with cryptography.