CODEWITHSUNDEEP
amazon-kms
Sanat Dwivedi
Sanat Dwivedi

Reputation: 43

Key Management Services

What algorithms or encryption methods are used behind Amazon Key Management Services?

I searched for it but found only configuration related information instead of Integration information.

Upvotes: 4

Views: 1151

Answers (2)

Viccari
Viccari

Reputation: 9318

I'll preface this answer by saying that if you're really interested, the KMS Cryptographic Details document is really good and detailed, and I recommend you to read it.

There are two types of KMS keys, Customer Master Keys (CMKs) and Data Keys (DKs). Customer Master Keys never leave AWS infrastructure, and they are generated via API call. There's a caveat: they can be provided by AWS customers (aka you), via this and this API calls. Data keys are generated via API call. That API returns both a "plain" and an encrypted version of the key. This encryption is done using a CMK.

KMS uses only symmetric encryption, as per the developer guide.

So, to answer your question (what algorithms does KMS use), take a look at this diagram (taken from here): KMS Envelope Encryption

The encryption algorithm on the bottom of the image is the algorithm used to encrypt the DKs. From the cryptographic details document linked above:

AWS KMS uses configurable cryptographic algorithms so that the system can quickly migrate from one algorithm, or mode, to another. The initial default set of cryptographic algorithms has been selected from Federal Information Processing Standard (FIPS-approved algorithms) for their security properties and performance.

and also:

All symmetric key encrypt commands used within the HSA use the Advanced Encryption Standards (AES), in Galois Counter Mode (GCM) using 256-bit keys. The analogous calls to decrypt use the inverse function.

After you generate a DK, you perform the encryption and decryption yourself, using the algorithm and standard you want (and this is the encryption algorithm on the top of the image above). But the only type of DK you can generate today is AES, and you can only choose whether you want 128 or 256 bits (docs).

For the sake of completeness, when you import a master key, you typically wrap your key material using RSA (2048-bit).

Upvotes: 3

sudo
sudo

Reputation: 2317

AWS KMS uses the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM), known as AES-GCM and it uses this algorithm with 256-bit secret keys (copied from KMS document).

Upvotes: 0

Related Questions