Reputation: 771
How do I implement Data Encryption and Decryption using AWS KMS CMK and Data Keys in Java?
I am comparatively new to AWS Cloud environment so my knowledge in general is limited. My apologies upfront if these are simple straight forward questions and for asking the samples.
I also looked around on SO to get more information but could not find much. Perhaps I am looking for a wrong thing. Any help will be greatly appreciated.
I am trying to make use of AWS KMS to encrypt one data element in my application. After going through the documentation, my understanding is as below:
- I need to have a CMK in my AWS account. I have created an AWS-managed CMK created in my account.
- Note the Key ID or Alias of the CMK which I got for my CMK from the console.
- Create a GenerateDataKeyRequest object by passing the KeyID or Alias and KeySpec.
- Generate a Data Key using awskmsClient.generateDataKey() method and passing the above GenerateDataKeyRequest object.
- Above step will give me GenerateDataKeyResult object which will have the "plaintext" and "ciphertextblob" values of the Data Key.
I have this code as below:
AWSKMS awsKmsClient = AWSKMSClientBuilder.standard().build();
GenerateDataKeyRequest keyRequest = new GenerateDataKeyRequest()
.withKeyId("alias/MyKeyAlias")
.withKeySpec("AES_256");
GenerateDataKeyResult dataKeyResponse = awsKmsClient .generateDataKey(keyRequest );
System.out.println("Plaintext Data Key: " + dataKeyResponse.getPlaintext());
System.out.println("Ciphertext Data Key: " + dataKeyResponse.getCiphertextBlob());
The documentation says to use the "plaintext" data key to encrypt my data and the delete the "plaintext" data key.
My first question is: How do I encrypt my data using the "plaintext" data key?
I am not able to find a place in the documentation that talks about how to do it. Or which API to use. There is an "encrypt" method in the AWSKMSClient class but that can be used only with the CMK's KeyID and not the Data Key. Or am I understanding it wrong?
Then the documentation also says to store the encrypted data and "ciphertextblob" data key. This is called Envelope Encryption in AWS KMS terms. I am not able to figure out how do I do it. Any help in this regard will be highly appreciated.
As per documentation, we need to take the below steps to decrypt:
Use the stored "ciphertextblob" data key to get the "plaintext" data key.
Use the above "plaintext" data key to decrypt the data.
I have couple of questions on this also, as below:
What is the best way to store the encrypted data and "ciphertextblob" data key in a database?
How do I get the "plaintext" data key from the the stored "ciphertextblob" data key?
And finally, how do I decrypt my data using the "plaintext" data key I get in the step above?
I would really appreciate if you can provide sample code for the above questions. Or please do point me in the right direction to achieve the above.
Thank you.
Upvotes: 1
Views: 4510
Answers (2)
Reputation: 12075
My first question is: How do I encrypt my data using the "plaintext" data key?
You can use default crypto functionality, as I see you are using Java, you may have a look at my encryption blog.
Then the documentation also says to store the encrypted data and "ciphertextblob" data key. This is called Envelope Encryption in AWS KMS terms. I am not able to figure out how do I do it. Any help in this regard will be highly appreciated.
You store your ciphertext (encrypted data) and the "ciphertextblob" data key returned from the generateDataKey operation. How yo ustore your data is up to you (local disk, S3, DB, other service ..).
The "ciphertextblob" data key will be later used to request the plain encryption key from kms so you could decrypt your data
As per documentation, we need to take the below steps to decrypt:
Use the stored "ciphertextblob" data key to get the "plaintext" data key.
Use the above "plaintext" data key to decrypt the data.
Indeed, the decrypt operation returns the plain data encryption key from the "ciphertextblob", so you could decrypt your data (again - the data encryption/decryption is completely up to you, but it is strongly recommended you use some secure standard, such as AES)
What is the best way to store the encrypted data and "ciphertextblob" data key in a database?
Please note the encrypted data are binary, so you can mosty see them as encoded (e.g. base64), so imho the best approach is to store them as text (varchar).
How do I get the "plaintext" data key from the the stored "ciphertextblob" data key?
calling the decrypt() operation - it returns the plain data encryption key from the "ciphertextblob"
And finally, how do I decrypt my data using the "plaintext" data key I get in the step above?
again, using the default crypto functionality :)
Upvotes: 1
Reputation: 2327
You can use Java Cryptography Extension (JCE) to encrypt or decrypt the data. I'm not exactly sure what's the best way store the data ciphertextblob data key and the encrypted data but I believe it should depend on your application and requirements. To get the plaintext data key from the ciphertextblob, you need to call KMS Decrypt API i.e. use the CMK to decrypt the ciphertextblob data key and get the plaintext data key.
You should use AWS Encryption SDK and you don't have to worry about these questions :)
Sample code can be found here.
Upvotes: 2
Related Questions
- Decrypt cypherTextBlob using AWS KMS programmatically in Java ? InvalidCiphertextException
- How to encrypt and decrypt a string using AWS KMS?
- Encrypt with a AWS KMS Public Key without using an AWS SDK or CLI tool
- Decrypting data key in Java AWS SDK yields gibberish
- how to get encrypted file (KMS Server side) from AWS using java
- How to decrypt AWS KMS cipher with AWS Encryption SDK with Java or AWSKmsClient
- AWS SDK KMS - Encrypt in Nodejs and Decrypt in Java
- AWS Encryption SDK Encrypt/Decrypt with Data Key
- How to encrypt client-side with AWS KMS using the C# SDK
- AWS KMS How to use Decrypt function Java