Reputation: 5145
AWS: Is it possible to retrieve the content of key that stored in KMS?
If the answer is no, how to deal with the data encryption when migrating your data from aws cloud to another cloud someday?
e.g. S3 object that has been encrypted by SSE-S3
Upvotes: 6
Views: 9265
Answers (2)
Reputation: 270089
Typically, data is not encrypted using the keys stored in a Key Management Service (KMS).
Instead, when a file needs to be encrypted:
- A random encryption key is generated that is specific to that file only
- The file is encrypted using that key
- The key is then encrypted using the keys stored in the KMS and the encrypted key is stored with the encrypted data
Later, when the file needs to be decrypted:
- The encrypted key is decrypted using the KMS
- The file is decrypted using the decrypted key
Thus, if you wish to move encrypted data to a different system, you merely need to decrypt the file-specific encryption keys using the KMS and re-encrypt them using the new KMS. The encrypted files can then be copied to the new system without needing to be decrypted.
Here's a picture from Server-side encryption with KMS managed keys (SSE-KMS) - AWS Certified Solutions Architect - Associate Guide [Book]:
Upvotes: 3
Reputation: 238727
Its not possible. From docs:
By default, AWS KMS creates the key material for a CMK. You cannot extract, export, view, or manage this key material.
The exception is when you import your own keys into KMS. Since you import the key material, you can use the same one in the other provider if it supports importing keys.
When you copy your objects to other storage provider, AWS will transparently decrypt them. The new provider will have to encrypt your data using their own keys.
So basically, the migration involves, decryption of your data, transfer of the data to a new provider, and encryption using a new key.
The only way to transport encrypted data from s3 is if you use SSE-C in S3, which stands for customer-provided encryption. In this case you are fully responsible for encryption and decryption of your files. AWS and the new provider only store the encrypted files:
Using server-side encryption with customer-provided encryption keys (SSE-C) allows you to set your own encryption keys.
Upvotes: 5
Related Questions
- Deleted aws kms key so can't able to access s3 objects
- AWS: How to get AWS KMS Key ID based on Tags
- AWS KMS Decrypt: How is the KMS Key configured?
- Isn't the key used in KMS in data encryption in AWS RDS accessible to Amazon?
- how to create AWS managed KMS Key
- How to store a custom key in AWS KMS
- Getting the KMS key from KMS CipherTextBlob
- AWS KMS storing customer master key
- aws kms decrypt the ciphertextblob
- Key Management Services