Key Management Service (KMS)
This is a demo of KMS usage. A key has already been setup in KMS, and a specific user (KMSDemo) has been given user access to this key. (The KMSDemo user credentials can be found in the JavaScript embedded in this page.)
Listing Keys
The first step you'll want to perform is to make a list of available KMS keys. Click on the button below to perform a "list keys" command to see what keys are available.
| Press the button below to retrieve keys. |
The ListKeys command lists all keys and their aliases, not just the ones you can actually use. However, the way this demo is configured is that you can only use the KMS Demo key ( the one starting with e8cb).
Using KMS to encrypt data
In the table below, paste the KMS key you want to use, and type some data (max 4KB). Then click on encrypt. KMS will then perform the encryption for you, provided that you have proper access to the KMS key.
| KMS Key to use: |  |
|---|---|
| Data to encrypt: | |
| Encrypted Data |  |
Using KMS to decrypt data
The encrypted data not only contains the encrypted data (duh), but also contains a reference to the key. So in order to decrypt the data, you only need to supply the data. You don't need to supply the KMS key to use: KMS will figure this out automatically. In fact, the return data from the KMS decrypt() function contains the KMS key that was detected/used.
| Encrypted Data | |
|---|---|
| Data | |
| KMS KeyId that was used |
Using KMS for envelope encryption
As noted, KMS imposes a limit of 4K on items encrypted and decrypted. This is because the underlying technology of KSM, CloudHSM, is not capable of performing bulk encryption at any reasonable speed. However, most of the data you will want to encrypt is significantly larger than 4K. In order to remove this limitation, "Envelope Encryption" is used.
With Envelope Encryption, you first generate a random string yourself, or let KMS generate a random string. This random string is used as your "Data Key", to encrypt the data. As the Data Key is in your possession, you are able to perform this encryption at the client side, instead of involving KMS for this. Once the data is encrypted, you use a KMS Key to encrypt the Data Key. You then store the encrypted data together with the encrypted Data Key, and discard the unencrypted Data Key. The encrypted Data Key then becomes sort of an "envelope" for the data, hence the name "Envelope Encryption".
If somebody would get hold of the encrypted data and the encrypted data key, then that information is worthless: Without the unencrypted data key the encrypted data cannot be decrypted, and without access to the KMS key, you cannot decrypt the encrypted data key. However, a legitimate user would have the proper credentials to use the KMS key to decrypt the encrypted data key, and would then be able to use the decrypted data key to decrypt the data.
In addition to the ability to encrypt/decrypt your Data Key, KMS also has the ability to generate a Data Key for you, using its built-in Random Number Generator (RNG). And to make things even more convenient, KMS can generate a Data Key, and encrypt it with the KMS Key, in one operation.
In the text field below, copy and paste a master key, then click on "Generate data key". If you have proper access to the master key, KSM will generate a data key, plus the encrypted data key for you.
| KMS Key to use: | |
|---|---|
| Data Key | |
| Encrypted Data Key | |
You can now encrypt your data with the Data Key, using any client-side encryption implementation you want. This encryption is not handled by KMS. Once you are done, discard the data key.
You now store the encrypted data together with the encrypted data key. Should an adversary now get hold of your data, then he or she cannot read it because it's encrypted. And the encrypted data key is worthless as well: It needs to be decrypted before it can be used to decrypt your data.
Using KMS for envelope decryption
When you need to decrypt your data, you first need the decrypted data key. This is again a KMS function. Simply provide the encrypted data key to KMS, and if you are allowed to do so according to the policy, KMS will provide you with the decrypted data key.
Note again that the encrypted data key contains the KeyID of the KMS key, so you do not need to identify the KMS key itself.
| Encrypted Data Key | |
|---|---|
| Data Key | |
| KMS KeyId that was used |
Once you have the decrypted data key, you can then use this to decrypt your data, again using a client-side implementation of your favourite encryption/decryption protocol.
About this demo
This complete demo is embedded in this HTML page as JavaScript. You can look at the source code of this page, at the bottom, to view the JavaScript code.