First we will learn what is encryption, Encryption is the process of scrambling readable data (plaintext) into an unreadable code (ciphertext) using an algorithm and a secret key, preventing unauthorized access.
In AWS, the KMS service manages encryption, specifically for data at rest. This service encrypts data only if its size is less than 4 KB. For data larger than 4 KB, KMS uses envelope encryption.
How AWS Encryption and Decryption works works:
For data size less than 4 kb KMS will take care of the encryption process.
- AWS SDK/CLI calls the encrypt API with the secret data.
- KMS validates the IAM permissions for the user to perform the API.
- If the user has permission, KMS encrypts the data and sends the encrypted data.
- During decryption, AWS SDK/CLI calls the decrypt API with the encrypted data.
- KMS validates the IAM permissions for the user to perform the API.
- If the user has permission, KMS decrypts the data and sends the decrypted data.
- AWS KMS manages the encryption/decryption key if we use keys stored in KMS.
How AWS Envelope Encryption works:
KMS Encrypt API call has a limit of 4 KB. If you want to encrypt >4 KB, we need to use Envelope Encryption
Encryption:
- This time we want to encrypt a big file ie, more than 4KB file.
- We are going to use the SDK to call the GenerateDataKey API by specifying CMK.
- If the requester has the permission, KMS will provide 2 keys, plaintext DEK and encrypted DEK.
- SDK will encrypt the secret file with the plaintext DEK.
- Finally SDK will create an single Final file which has encrypted secret file and encrypted DEK.
Decryption:
- During decryption AWS SDK will call the Decrypt API with the envelop file.
- If the requester has the permission, KMS will decrypt the encrypted DEK part of the envelop file using KMS CMK, and send the plaintext data key.
- AWS SDK will decrypt the encrypted file.
Top comments (0)