AWS kms encryption with asymmetric key using C#

Question

I am using .Net SDK (AWS.EncryptionSDK) for AWS KMS encryption & decryption. With example code provided by AWS is working for me while I am using symmetric key.

But, now I need to use asymmetric key for encryption & decryption. Now I am getting this below error while using asymmetric key instead of symmetric key. Error:

"You cannot generate a data key with an asymmetric CMK"

Need help to make it workable.

Here is my code:

using AWS.EncryptionSDK.Core;
using AWS.EncryptionSDK;
using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model;
using System.Text;


public static class EncryptionHelper
{

    private const string  aliasName = "myAliasName";

    public static MemoryStream EncryptData(string data)
    {
        var materialProviders = AwsCryptographicMaterialProvidersFactory.CreateDefaultAwsCryptographicMaterialProviders();
        var encryptionSdk = AwsEncryptionSdkFactory.CreateDefaultAwsEncryptionSdk();

        // Instantiate the keyring input object
        var kmsKeyringInput = new CreateAwsKmsKeyringInput
        {    
            KmsClient = new AmazonKeyManagementServiceClient(),
            KmsKeyId = GetARNBasedOnAliasName()
        };

        var keyring = materialProviders.CreateAwsKmsKeyring(kmsKeyringInput);

        var dataarray = StringToMemoryStream(data);

        // Define the encrypt input
        var encryptInput = new EncryptInput
        {   
            Keyring = keyring,
            Plaintext = dataarray
        };
        var result = encryptionSdk.Encrypt(encryptInput);      
        return result.Ciphertext;     
    }

    public static MemoryStream DecryptData(string data)
    {
        var materialProviders = AwsCryptographicMaterialProvidersFactory.CreateDefaultAwsCryptographicMaterialProviders();
        var encryptionSdk = AwsEncryptionSdkFactory.CreateDefaultAwsEncryptionSdk();

        // Instantiate the keyring input object
        var kmsKeyringInput = new CreateAwsKmsKeyringInput
        {    
            KmsClient = new AmazonKeyManagementServiceClient(),
            KmsKeyId = GetARNBasedOnAliasName()
        };

        var keyring = materialProviders.CreateAwsKmsKeyring(kmsKeyringInput);
        // Define the encrypt input

        var dataarray = StringToMemoryStream(data);

        var decryptInput = new DecryptInput
        {
            Ciphertext = dataarray,
            Keyring = keyring
        };

        var res = encryptionSdk.Decrypt(decryptInput);   
        return res.Plaintext;
    }

    public static string GetARNBasedOnAliasName()
    {
        var client = new AmazonKeyManagementServiceClient();                   

        var describeKeyRequest = new DescribeKeyRequest
        {
            KeyId =  aliasName
        };

        var describeKeyResponse = client.DescribeKeyAsync(describeKeyRequest).Result;

        var keyArn = describeKeyResponse.KeyMetadata.Arn;
        return keyArn;
    }

    public static MemoryStream StringToMemoryStream(string str)
    {
        var dataBytes = Encoding.UTF8.GetBytes(str);

        return new MemoryStream(dataBytes);
    }

    public static string MemoryStreamToString(MemoryStream response)
    {
        return Encoding.UTF8.GetString(response.ToArray());
    }
}

Answer 1

You need a separate symmetric CMK to perform a symmetric operation. You need to create a new KMS CMK to use for this operation which is different than the symmetric key you have already created.

https://awscli.amazonaws.com/v2/documentation/api/2.1.29/reference/kms/generate-data-key.html#:~:text=You%20cannot%20use%20an%20asymmetric,parameters%20(but%20not%20both).