Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

AWS Logo
Menu

How to encrypt and decrypt using AWS KMS

The article shows how to use AWS KMS to encrypt and decrypt data.

Published Jan 5, 2025
In the last post, I provided an overview of AWS KMS. Here, I'll walk you through the process of using it.
There are two apporaches to use AWS KMS. The one is AWS CLI and OpenSSL, the other is AWS Encryption SDK. Today, I'll introduce how to use AWS KMS using AWS CLI and OpenSSL.

OpenSSL

OpenSSL is an open-source software library that provides essential cryptographic tools and implements the SSL/TLS protocols for secure communication. It supports a wide range of cryptographic algorithms, including encryption, decryption, digital signatures, and hash functions. OpenSSL is widely used to secure data transmission over the internet, manage digital certificates, and perform various cryptographic operations through its command-line tools. You can click here if you would like to learn more. We can use OpenSSL to communicate with AWS KMS over AWS CLI.

How to use AWS KMS

There are five steps to teach you how to AWS KMS using OpenSSL and AWS CLI.

Step 1. Preparation

First of all, we should check our environment is well prepared.
  • Make sure we have installed AWS CLI. If not, please click here to install it first.
1
2
$ aws --version
aws-cli/2.15.6 Python/3.11.6 Darwin/23.6.0 exe/x86_64 prompt/off
  • Make sure we have installed OpenSSL. If not, please click here to download it and then install. Also, you can google how to install OpenSSL.
1
2
$ openssl --version
OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024)
Now, let's move on the next step!

Step 2. Creating a CMK

We can use AWS KMS in our AWS account as follow:
Image not found
Click on Customer managed keys
Image not found
Click on Create key
Image not found
Click on Config key
Image not found
Click on Add lables
Image not found
Define key administrative permissions
Image not found
Define key usage permissions
Image not found
Finished
Now, we have created a CMK test.

Step 3. Generating data key

We can use AWS CLI and OpenSSL to generate data key.
1
$ aws kms generate-data-key --key-id alias/test --key-spec AES_256 --region us-east-1
Response as below
1
2
3
4
5
{
"CiphertextBlob": "AQIDAHi71gCapMjMwnPHLHPcI0frWP6y0RXUSPXAF/9wSxFhOgGiXwg7BWsllukeqLQf/EApAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMz5xgmiIe/LnLEvvcAgEQgDuIKYN4tsL48jrC9k5BiZDslFeXh31cXcZxryCQlER9YUAQRDsFs7abo5rgvnT7uhGBp2Grq9nqXeiICg==",
"Plaintext": "00oP+1SBZc73ileO1VRYLpE3aqIQUQbOPrmY4TSBYQ4=",
"KeyId": "arn:aws:kms:us-east-1:157854716818:key/4d1cdb9b-9a7e-4072-a01c-9d00b9fb7dec"
}
It returns Plaintext and CiphertextBlob, which are base64 encoded. So we need to decode and save them into dataKey and encrypted-datakey files.
  • decode dataKey
1
$ echo "00oP+1SBZc73ileO1VRYLpE3aqIQUQbOPrmY4TSBYQ4=" | base64 --decode > dataKey
  • decode encrypted-dataKey
1
$ echo "AQIDAHi71gCapMjMwnPHLHPcI0frWP6y0RXUSPXAF/9wSxFhOgGiXwg7BWsllukeqLQf/EApAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMz5xgmiIe/LnLEvvcAgEQgDuIKYN4tsL48jrC9k5BiZDslFeXh31cXcZxryCQlER9YUAQRDsFs7abo5rgvnT7uhGBp2Grq9nqXeiICg==" | base64 --decode > encrypted-datakey
We will use thoes two files below.

Step 4. Encrypting data

Firstly, we need to create our sensitive data into password.txt.
1
$ echo "This is my password" > password.txt
Now, we use dataKey file to encrypt the sensitive data in password.txt. The output encrypted data is in encrypted-password.txt.
1
$ openssl enc -in ./password.txt -out ./encrypted-password.txt -e -aes256 -k fileb://./dataKey
We should delete dataKey after encrypting the data.
1
$ rm dataKey

Step 5. Decrypting data

How do we decrypt the encrypted data? Firstly, we need to use encrypted-datakey to get Plaintext in KMS.
1
$ aws kms decrypt --ciphertext-blob fileb://./encrypted-datakey --region us-east-1
The output is below
1
2
3
4
5
{
"KeyId": "arn:aws:kms:us-east-1:157854716818:key/4d1cdb9b-9a7e-4072-a01c-9d00b9fb7dec",
"Plaintext": "00oP+1SBZc73ileO1VRYLpE3aqIQUQbOPrmY4TSBYQ4=",
"EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}
Now we can use this Plaintext to decrypt our data. But first, we should do base64 decode and save it as dataKey again.
1
$ echo "00oP+1SBZc73ileO1VRYLpE3aqIQUQbOPrmY4TSBYQ4=" | base64 --decode > dataKey
Finally, we can decrypt our encrypted data encrypted-password.txt with the dataKey. The decrypted sensitive data is output to decrypted-password.txt.
1
$ openssl enc -in ./encrypted-password.txt -out ./decrypted-password.txt -d -aes256 -k fileb://./dataKey
Now, the decrypted-password.txt is the original sentivite data in password.txt.
1
2
$ cat decrypted-password.txt
This is my password
 

Comments

Log in to comment