aws-encryption-cli vs. aws kms encrypt/decrypt (aws-cli/2.9.5)


All - if I compare the two choices in the title the aws-encryption-cli and the aws cli within the kms group of commands they seem to overlap. In other words - strictly from a command line perspective I can encrypt and decrypt using the AWS CLI - so is there a reason to use the aws-encryption-cli which requires an additional install rather than aws kms encrypt/decrypt?

2 Answers

The following provides a great summary on this topic:

How is the AWS Encryption SDK different from the AWS SDKs? The AWS SDKs provide libraries for interacting with Amazon Web Services (AWS), including AWS Key Management Service (AWS KMS). Some of the language implementations of the AWS Encryption SDK, such as the AWS Encryption SDK for .NET, always require the AWS SDK in the same programming language. Other language implementations require the corresponding AWS SDK only when you use AWS KMS keys in your keyrings or master key providers. For details, see the topic about your programming language in AWS Encryption SDK programming languages.

You can use the AWS SDKs to interact with AWS KMS, including encrypting and decrypting small amounts of data (up to 4,096 bytes with a symmetric encryption key) and generating data keys for client-side encryption. However, when you generate a data key, you must manage the entire encryption and decryption process, including encrypting your data with the data key outside of AWS KMS, safely discarding the plaintext data key, storing the encrypted data key, and then decrypting the data key and decrypting your data. The AWS Encryption SDK handles this process for you.

The AWS Encryption SDK provides a library that encrypts and decrypts data using industry standards and best practices. It generates the data key, encrypts it under the wrapping keys you specify, and returns an encrypted message, a portable data object that includes the encrypted data and the encrypted data keys you need to decrypt it. When it's time to decrypt, you pass in the encrypted message and at least one of the wrapping keys (optional), and the AWS Encryption SDK returns your plaintext data.

You can use AWS KMS keys as wrapping keys in the AWS Encryption SDK, but it is not required. You can use encryption keys that you generate and those from your key manager or on-premises hardware security module. You can use the AWS Encryption SDK even if you don't have an AWS account.

answered a year ago
  • Thanks - though I don't think this directly addresses the question of "why would one use the "aws-encryption-cli" CLI rather than the "aws" CLI (e.g. "aws kms encrypt" / "aws kms decrypt")

Accepted Answer

AWS Encryption SDK (ESDK) performs encryption at the client-side, that is, within your application and on hardware/instance of your choosing. Amount of plaintext you can encrypt depends on algorithm and data key size, and you can configure ESDK to use KMS as your key provider.

Encryption using KMS API is done at the server-side, meaning you send a plaintext to KMS and in return receive ciphertext. Encryption is securely done within hardware security modules that's been validated (FIPS 140-2). There's limitation on payload size that you can encrypt/decrypt (4,096 byte).

As to why you would ESDK over KMS and vice versa? It depends on your use case. If you have high performance requirement (e.g., latency, amount to encrypt, etc.), ESDK might be advantageous since encryption is done locally within your application. If you have a very sensitive data that needs to be encrypted under trusted and validated hardware, KMS might fit your use case better.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions