AWS KMS Amazon Web Service Implementation
Posted By : Aftab Alam | 29-Jul-2019
1. Introduction
AWS (Amazon Web Services) KMS (Key Management Service) is an AWS cloud service which allows us to create, enable and disable keys. it is a secure service that uses FIPS (Federal Information Processing Standard) 140-2 validated hardware security module to protect underlying keys. These keys can be used to encrypt or decrypt data with AWS service(s) and outside AWS service(s). When it is integrated with AWS CloudTrail to provide logs of key usage in AWS service(s).
2. Goal
The intention of AWS KMS (Key Management Service) cloud service is to ensure the security of other AWS service(s). The keys, that are created and managed by AWS KMS, can be used for encryption/decryption in AWS and other.service(s).
3. Scope
The scope of this nlog is to explore the use of AWS KMS cloud service with AWS and other services.
4. AWS-KMS Environment Variables
4.1. Install aws-kms cli on ubuntu
sudo apt-get install awscli
4.2. Now set aws account credentials in aws client by running below command
aws configure
5. Add xml dependencies in POM.xml file
5.1. Dependency for AWS-Java-SDK
<dependency><groupId>com.amazonaws</groupId><artifactId>aws-java-sdk</artifactId><version>1.11.169</version><optional>true</optional></dependency>
5.2. Dependency for AWS-Encryption-SDK-Java
<dependency><groupId>com.amazonaws</groupId><artifactId>aws-encryption-sdk-java</artifactId><version>1.3.1</version></dependency>
6. Data Encryption Using AWS-Customer Managed Customer Master Key
6.1. Customer Managed Master Key Provider By Its ARN:- When any aws kms key is created in aws account then it provides a identifier to recognise created key which is called ARN. Created key never leaves aws kms server it's always there but when we want to use it at application level then we can pass that arn in provider which gives desinged functionality for further processing. The below given code of line takes arn key and provides an instance of KmsMasterKeyProvider class that will be used for encryption and decrytion.
KmsMasterKeyProvider kmsMasterKeyProvider = new KmsMasterKeyProvider(awsKmsMasterKeyArn);
6.2. Encryption Context:- Encryption context refers to context in which validation of data is checked when decrypting from cipher text. In this context, one key is associated with data encryption/decryption which also ensures right context for the encryption/decryption.
final Map<String, String> encryptionContext=Collections.singletonMap("AwsKmsMasterKey", "In spring-boot application");
6.3. Data Encryption:- When data is being encrypted then an instance method of AWSCrypto class takes three arguments(KmsMasterKeyProvider, PlainText, Context) and then returns encrypted data.
String cipherText = awsCrypto.encryptString(kmsMasterKeyProvider, plainText, context).getResult();
6.4. Data Decryption:- When data is being decrypted then an instance method of AWSCrypto class takes two arguments(KmsMasterKeyProvider, CipherText) and then returns an instance of CryptoResult.
final CryptoResult<String, KmsMasterKey> decryptResult = awsCrypto.decryptString(kmsMasterKeyProvider, cipherText); if(!decryptResult.getMasterKeyIds().get(0).equals(awsKmsMasterKeyArn)) { throw new IllegalStateException("Wrong key id!"); } for(final Map.Entry<String, String> e : encryptionContext.entrySet()) { if(!e.getValue().equals(decryptResult.getEncryptionContext().get(e.getKey()))) { throw new IllegalStateException("Wrong Encryption Context!"); } } plainTextHashMap.put("plainText", decryptResult.getResult());
7. Data Encryption Using Data-Key Generated from Customer Managed Customer Master Key
7.1. Customer Managed Master Key Provider By Its ARN:- When any aws kms key is created in aws account then it provides a identifier to recognise created key which is called ARN. Created key never leaves aws kms server it's always there but when we want to use it at application level then we can pass that arn in provider which gives desinged functionality for further processing. The below given code of line takes arn key and provides an instance of KmsMasterKeyProvider class that will be used for encryption and decrytion.
KmsMasterKeyProvider kmsMasterKeyProvider = new KmsMasterKeyProvider(awsKmsMasterKeyArn);
7.2. Encryption Context:-Encryption context refers to context in which validation of data is checked when decrypting from cipher text. In this context, one key is associated with data encryption/decryption which also ensures right context for the encryption/decryption.
final Map<String, String> encryptionContext=Collections.singletonMap("AwsKmsMasterKey", "In spring-boot application");
7.3. Data-Key Generation from Customer Managed Master Key:- By ARN of master key, KmsMasterKeyProvider has been created and for creating KmsMasterKey, an instance method of KmsMasterKeyProvider takes an instance of MasterKeyRequest. Once the master key is generated then its an instance method(generateDataKey) takes two parametersand returns data key. It will be used in the next step to encrypt/decrypt data.
MasterKeyRequest masterKeyRequest=MasterKeyRequest.newBuilder().build(); List<KmsMasterKey> masterKeys=kmsMasterKeyProvider.getMasterKeysForEncryption(masterKeyRequest); MasterKey masterKey=masterKeys.get(0); System.out.println("=========Master Key========"+masterKey); System.out.println("=========Key Id========"+masterKey.getKeyId()); System.out.println("=========Provider Id========"+masterKey.getProviderId()); DataKey dataKey = masterKey.generateDataKey(CryptoAlgorithm.ALG_AES_256_GCM_IV12_TAG16_HKDF_SHA256, encryptionContext);
7.4. Data Encryption Using Data-Key:- In the last step, data key has been created from master key. Now data key will be used to create encrypt/decrypt plain text to cipher text. For the encryption, code is implemented below.
//Creating a Cipher object Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding") ; //Initializing a Cipher object cipher.init(Cipher.ENCRYPT_MODE, dataKey.getKey()); //Adding data to the cipher byte[] plainTextBytes = plainText.getBytes(StandardCharsets.UTF_8); //encrypting the data byte[] cipherText = cipher.doFinal();
8. Conclusion:- AWS KMS is very benefial service provided by AWS. It provides a facility to manage the keys for encryption and decryption somewhere else rather than managing them where encryption/decryption is being done. So it secures our encryption/decryption process and provides data security upto great extent.
Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.
About Author
Aftab Alam
Aftab has worked on multiple technologies in front-end as well as in back-end.