2

I am exploring the AWS KMS as a vault for storing the encryption keys. Now I am trying to encrypt the database fields like email.

So, issue whenever there is a read/write for email, I don't want to hit the AWS APIs(using SDK) to encrypt/decrypt.

What I am thinking is that, is there a way I can get the plaintext data key using SDK and store it in memory for some time and uses it for encryption/decryption.

I am playing with SDK but I am not seeing anything to get the data keys.

I need this for two reasons a) Throughput/performance b) Costing reduction

I have my data in in-house physical machines not in AWS

Ankit Bansal
  • 157
  • 1
  • 9

2 Answers2

1

The entire point of KMS is to securely store encryption keys. As a result, you aren't finding any options to extract the key because such an option does not exist by design. This question is like saying, "I need a bank with a secure vault that I can store my driver's license in so it never gets stolen, but I also want to keep it in my wallet for when I go to the store". These needs are, quite simply, completely contradictory.

If for some reason you did want to do that, then you can use a KMS with a customer managed key. This will allow you to generate your own key, hand it to AWS, and they will place it in the KMS for you. At that point in time you can have a copy of the key yourself and AWS will also have a copy of they key that you can use via KMS.

A more common use case would be to use KMS to encrypt the actual encryption key for your data. This way the key can be stored in encrypted form. When your application starts it takes the encrypted key, calls KMS to decrypt it, stores the decrypted key in memory, and then can operate normally.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • Right, but then for every encryption/decryption, I need to call AWS. This will impact performance / Costing. Plus is it guaranteed if I encrypt same email , cipher will always be same. I need to compare the encrypted data, – Ankit Bansal Oct 07 '20 at 09:58
  • @AnkitBansal This is covered by my paragraphs 2 and 3. – Conor Mancone Oct 07 '20 at 10:02
  • One more thing, might be a stupid question. When you say "customer managed key", you mean , "customer managed master key" right? – Ankit Bansal Oct 07 '20 at 10:15
  • @AnkitBansal Specifically, the customer managed CMKs (rather than the AWS managed CMK). It's very confusing because CMK stands for customer master key, so we're talking about "customer managed customer master keys" vs "aws managed customer master keys". It makes sense when you dive into it, but it's very confusing on the surface. To be very specific, docs are here: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk – Conor Mancone Oct 07 '20 at 10:17
  • @AnkitBansal I forgot how terrible their documentation is here. This may help more: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html – Conor Mancone Oct 07 '20 at 10:20
0

What I am thinking is that, is there a way I can get the plaintext data key

AWS KMS offers GenerateDataKey action:

https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html

This operation returns a plaintext copy of the data key and a copy that is encrypted under a KMS key that you specify. You can use the plaintext key to encrypt your data outside of AWS KMS and store the encrypted data key with the encrypted data.

I need this for two reasons a) Throughput/performance b) Costing reduction

What you seem to be looking for is data key caching, a feature added to AWS Encryption SDK back in 2017:

https://aws.amazon.com/about-aws/whats-new/2017/08/aws-encryption-sdk-now-supports-data-key-caching/

Data key caching can improve performance, reduce cost, and help you stay within service limits as your application scales

You can read more about it here:

https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-caching.html

automatictester
  • 652
  • 3
  • 11