Reputation: 171
How to store my key for encryption on aws?
I am developing rest api system running on ec2 service.
My requirement is
- encrypt/decrypt on plain text with AES256
- generate key with pbkdf2
- Store key on aws cloud system
- Java
I tried to used KMS & Crypto sdk but it’s not working. (ex) result of encryption value is changed every time When I called method with same plaint text.
Do you have any ideas?
public String encrypt(String text) {
String plaintext = text;
try {
ByteBuffer byteBuffer = getByteBuffer(plaintext);
EncryptRequest encryptRequest = new EncryptRequest().withKeyId(key_arn).withPlaintext(byteBuffer);
EncryptResult encryptResult = client.encrypt(encryptRequest);
String ciphertext = getString(java.util.Base64.getEncoder().encode(encryptResult.getCiphertextBlob()));
plaintext = ciphertext;
} catch (Exception e) {
e.printStackTrace();
}
return plaintext;
}
public String decrypt(String text) {
String bb = null;
try {
byte[] ciphertextBytes = text.getBytes();
DecryptRequest request = new DecryptRequest();
request.setCiphertextBlob(ByteBuffer.wrap(ciphertextBytes));
DecryptResult result = client.decrypt(request);
// Convert to byte array
byte[] plaintext = new byte[result.getPlaintext().remaining()];
ByteBuffer a = result.getPlaintext().get(plaintext);
bb = getString(a);
} catch (Exception e) {
e.printStackTrace();
}
return bb;
}
Upvotes: 0
Views: 1139
Answers (1)
Reputation: 5065
This is a hard question to answer succinctly because there are a lot of details and background knowledge that go into crypto and using the AWS crypto capabilities correctly.
First to your specific question - different values from the same plaintext is ok and expected. Encrypt returns different values for the same plain text because it attaches additional data to the plain text, such as an Initialization Vector (IV). This is a way to include non-deterministic data in the plain text precisely so that you don't end up with the exact same cipher text from the same plain text when using the same key.
More importantly, though, note that Encrypt and Decrypt are not general-purpose tools - they are designed to handle small payloads (< 8KB), specifically Data Keys. So where you go from here will depend on what kind of data you are encrypting. If you just need to decrypt a small value like a password, you can continue with Encrypt/Decrypt, and don't worry that two Encrypt operations produce different cipher texts. If you need to encrypt files or other arbitrary chunks of data, read on.
AWS promotes the idea of Envelope Encryption, which is the notion that the key used to actually en/decrypt is stored alongside data it protects, and is itself en/decrypted via a separate master key. In the AWS case, that's Customer Master Key (CMK), which never leaves KMS.
So you can use Encrypt to encrypt an encryption key that you generate, or you could use the AWS method GenerateDataKey to 1) create a key and 2) encrypt it for you. That will return both a plaintext (base64) and cipher text version of the key. Use the plaintext in memory, store the cipher text to disk.
A more typical workflow would be something like:
- Call
GenerateDataKey- you need to specify theKeyIdand aKeySpec(AES_128orAES_256). There are also options to generate asymmetric keys. - The result includes both a plain text and encrypted version of the generated key. Store the encrypted version.
- At some later time, call
Decryptwhen you need to use the key. - Use the plaintext from that
Decryptmethod as the key in your local crypto code.
AWS actually provides a separate library to do all that for you - the AWS Encryption SDK, with support for a range of languages including Java. I've not used it extensively, but it provides the framework to do envelope encryption via best practices (which algorithms, master vs. data keys, etc). Take a look (link below).
Hope this helps; encryption is tough to get right.
For more info:
- https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping
- https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html
- https://en.wikipedia.org/wiki/Initialization_vector
Upvotes: 2
Related Questions
- How do I store and access my third party API keys with AWS
- How to store sensitive data in AWS
- How to encrypt and securely store and transmit private keys of SSH
- How to securely store the amazon access token for Amazon KMS
- AES 256 encryption and decryption
- AWS Encryption SDK Encrypt/Decrypt with Data Key
- How to store my encryption key in secure way while doing client side encryption in mobile app?
- How do I store keypair in s3?
- Amazon private key, where should I store it?
- What are your suggestions for storing AWS authentication data?