Securing Data with AWS Key Management Service
With more and more cloud adotpion by enterprises , Data Security has become the need of the hour.
Data security is the practice of protecting digital information from unauthorized access, corruption, or theft throughout its entire lifecycle.
How can we make our data secure ? The answer is using Encryption and Decryption techniques.
What is Encryption?
Encryption is a way of scrambling data so that only authorized parties can understand the information. In technical terms, it is the process of converting human-readable plaintext to incomprehensible text, also known as ciphertext.
What is Decryption?
Decryption is the process of transforming data that has been rendered incomprehensible through encryption back to its human-readable plaintext form.
AWS Key Management Service
AWS KMS is a fully managed service provided by AWS to manage the keys used to encrypt our data. It can be integrated with a wide range of AWS services. It provides access control to our keys so that we can determine who can access the keys and when can the keys be accessed.
AWS KMS pricing can be viewed at https://aws.amazon.com/kms/pricing/. Free tier includes 20,000 requests/month.
AWS KMS keys
KMS Keys are the primary resource in AWS KMS. We can use a KMS Key to encrypt, decrypt data. Typically, We will use symmetric encryption KMS keys, but we can create and use asymmetric KMS keys for encryption or signing, and create and use HMAC KMS keys to generate and verify HMAC tags.
A KMS key contains metadata, such as the key ID, key spec, key usage, creation date, description, and key state. Most importantly, it contains a reference to the key material that is used when we run cryptographic operations with the KMS key.
The KMS Keys that we create are Customer Managed Keys (CMK).CMKs are KMS keys in AWS accounts that we create, own, and manage. We have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion.
Steps to Create CMK in AWS Console
Step 1:
Search for Key Management Service and Click Create Key to create CMK.
Make sure that you have selected the correct region because keys are specific to a region.
Step 2 :
AWS recommends using symmetric keys. Because, AWS services that are integrated with AWS KMS use only symmetric encryption KMS keys to encrypt our data.These services do not support encryption with asymmetric KMS keys.
Regionality:
AWS KMS supports multi Region keys. So that we can encrypt data in one region and decrypt it in different AWS region without any re-encrypting.
Step 3: Specify Alias Name and tags if needed.
Step 4:
In the key administrative and key usage permissions section, select the IAM users and roles who can manage the KMS key.
Step 5 :
Review the key settings and click Finish. When the process is complete, we can see the new key in the custom key store.
Basic Configuration in Node.js
Install AWS SDK package from npm
npm install aws-sdk
Import aws-sdk and configure KMS using your accessKeyId and secretAccesskey.
Specify the region in which the CMK is created.
Encrypt Data using CMK
The following is the function which encrypts a given text and outputs the ciphertext blob.
Decrypt Data using CMK
The following is the function which decrypts a ciphertext blob that was already encrypted and outputs the plain text.
KMS CMKs are inefficient when large data is to be encrypted and decrypted. The maximum size of data that could be encrypted or decrypted using KMS CMK is 4KB. To encrypt/decrypt data more than that KMS uses the concept of envelope encryption. This will be covered in the subsequent articles.