Help needed using AWS Encryption SDK, Python and RSA Public/Private keys


I've recently started using the AWS Encryption SDK with multiple KMS keys to encrypt and decrypt files.

I've now been asked to investigate using Public key encryption, so that we can have a mix of KMS master key and RSA master key providers. My thought this would be able to ensure that we can use our own KMS keys for decryption and allows a third party to supply us with their RSA Public key, which can then be referenced for them to decrypt offline.

I have reviewed the following example, , which I thought should solve it for me, but have noted that only the private key portion of the key pair is used for both the encryption and decryption of the file.

I am really lost with how to use a public key to encrypt and a private key to decrypt.

Is anyone able to point me in the right direction?

Edited by: WranglingData on Jun 28, 2020 10:32 PM

asked 3 years ago324 views
2 Answers


Take a look at this example for how to initialize a RawMasterKey with access to the public key and a RawMasterKey with access to the private key:

The RawMasterKey with access to the public key can be used for encryption, and the RawMasterKey with access to the private key can be used for decryption.

(Note that this links to example on one of our features branches. For future readers of this post, if this link is dead, look for this example on the master branch.)

answered 3 years ago


Thanks. Works perfectly.

Curiously, I thought I had tried a pattern similar to that, but in all honesty I am no longer sure :)

Regardless, this is the tonic. I have also tried it with, as I will be dealing with bigger files and as expected, it worked perfectly.

I appreciate you taking the time to answer. Thanks!

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions