AWS KMS Amazon Web Service Implementation

1. Introduction

AWS (Amazon Web Services) KMS (Key Management Service) is an AWS cloud service which allows us to create, enable and disable keys. it is a secure service that uses FIPS (Federal Information Processing Standard) 140-2 validated hardware security module to protect underlying keys. These keys can be used to encrypt or decrypt data with AWS service(s) and outside AWS service(s). When it is integrated with AWS CloudTrail to provide logs of key usage in AWS service(s).

2. Goal

The intention of AWS KMS (Key Management Service) cloud service is to ensure the security of other AWS service(s). The keys, that are created and managed by AWS KMS, can be used for encryption/decryption in AWS and other.service(s).

3. Scope

The scope of this nlog is to explore the use of AWS KMS cloud service with AWS and other services.

4. AWS-KMS Environment Variables 

    4.1. Install aws-kms cli on ubuntu

        sudo apt-get install awscli

   4.2. Now set aws account credentials in aws client by running below command

      aws configure   

5. Add xml dependencies in POM.xml file

  5.1. Dependency for AWS-Java-SDK

<dependency><groupId>com.amazonaws</groupId><artifactId>aws-java-sdk</artifactId><version>1.11.169</version><optional>true</optional></dependency>

  5.2. Dependency for AWS-Encryption-SDK-Java

<dependency><groupId>com.amazonaws</groupId><artifactId>aws-encryption-sdk-java</artifactId><version>1.3.1</version></dependency>

6. Data Encryption Using AWS-Customer Managed Customer Master Key

    6.1. Customer Managed Master Key Provider By Its ARN:- When any aws kms key is created in aws account then it provides a identifier to recognise created key which is called ARN. Created key never leaves aws kms server it's always there but when we want to use it at application level then we can pass that arn in provider which gives desinged functionality for further processing. The below given code of line takes arn key and provides an instance of KmsMasterKeyProvider class that will be used for encryption and decrytion.

          KmsMasterKeyProvider kmsMasterKeyProvider = new KmsMasterKeyProvider(awsKmsMasterKeyArn);

    6.2. Encryption Context:- Encryption context refers to context in which validation of data is checked when decrypting from cipher text. In this context, one key is associated with data encryption/decryption which also ensures right context for the encryption/decryption.

          final Map<String, String> encryptionContext=Collections.singletonMap("AwsKmsMasterKey", "In spring-boot application");

    6.3. Data Encryption:- When data is being encrypted then an instance method of AWSCrypto class takes three arguments(KmsMasterKeyProvider, PlainText, Context) and then returns encrypted data.

          String cipherText = awsCrypto.encryptString(kmsMasterKeyProvider, plainText, context).getResult();

    6.4. Data Decryption:- When data is being decrypted then an instance method of AWSCrypto class takes two arguments(KmsMasterKeyProvider, CipherText) and then returns an instance of CryptoResult.

          final CryptoResult<String, KmsMasterKey> decryptResult = awsCrypto.decryptString(kmsMasterKeyProvider, cipherText);
        
          if(!decryptResult.getMasterKeyIds().get(0).equals(awsKmsMasterKeyArn)) {
             throw new IllegalStateException("Wrong key id!");
          }

          for(final Map.Entry<String, String> e : encryptionContext.entrySet()) {
            if(!e.getValue().equals(decryptResult.getEncryptionContext().get(e.getKey()))) {
              throw new IllegalStateException("Wrong Encryption Context!");
            }
         }
         plainTextHashMap.put("plainText", decryptResult.getResult());

7. Data Encryption Using Data-Key Generated from Customer Managed Customer Master Key

   7.1. Customer Managed Master Key Provider By Its ARN:- When any aws kms key is created in aws account then it provides a identifier to recognise created key which is called ARN. Created key never leaves aws kms server it's always there but when we want to use it at application level then we can pass that arn in provider which gives desinged functionality for further processing. The below given code of line takes arn key and provides an instance of KmsMasterKeyProvider class that will be used for encryption and decrytion.

          KmsMasterKeyProvider kmsMasterKeyProvider = new KmsMasterKeyProvider(awsKmsMasterKeyArn);

   7.2. Encryption Context:-Encryption context refers to context in which validation of data is checked when decrypting from cipher text. In this context, one key is associated with data encryption/decryption which also ensures right context for the encryption/decryption. 

          final Map<String, String> encryptionContext=Collections.singletonMap("AwsKmsMasterKey", "In spring-boot application");

   7.3. Data-Key Generation from Customer Managed Master Key:- By ARN of master key, KmsMasterKeyProvider has been created and for creating KmsMasterKey, an instance method of KmsMasterKeyProvider takes an instance of MasterKeyRequest. Once the master key is generated then its an instance method(generateDataKey) takes two parametersand returns data key. It will be used in the next step to encrypt/decrypt data.

          MasterKeyRequest masterKeyRequest=MasterKeyRequest.newBuilder().build();
          List<KmsMasterKey> masterKeys=kmsMasterKeyProvider.getMasterKeysForEncryption(masterKeyRequest);
          MasterKey masterKey=masterKeys.get(0);
          System.out.println("=========Master Key========"+masterKey);
          System.out.println("=========Key Id========"+masterKey.getKeyId());
          System.out.println("=========Provider Id========"+masterKey.getProviderId());
          DataKey dataKey =  masterKey.generateDataKey(CryptoAlgorithm.ALG_AES_256_GCM_IV12_TAG16_HKDF_SHA256, encryptionContext);

   7.4. Data Encryption Using Data-Key:- In the last step, data key has been created from master key. Now data key will be used to create encrypt/decrypt plain text to cipher text. For the encryption, code is implemented below.

          //Creating a Cipher object
          Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding") ;
          //Initializing a Cipher object
          cipher.init(Cipher.ENCRYPT_MODE, dataKey.getKey());
          //Adding data to the cipher
          byte[] plainTextBytes = plainText.getBytes(StandardCharsets.UTF_8);	  
          //encrypting the data
          byte[] cipherText = cipher.doFinal();

8. Conclusion:- AWS KMS is very benefial service provided by AWS. It provides a facility to manage the keys for encryption and decryption somewhere else rather than managing them where encryption/decryption is being done. So it secures our encryption/decryption process and provides data security upto great extent.