By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Client side encryption SDK with alternative master key provider

1

Hello,

I am trying to use the AWS Encryption SDK for Python to perform client side encryption of files before uploading them to an S3 bucket. For various reasons, I am not allowed to fully trust AWS KMS in our account. Therefore, I am trying to figure out how to use the Encryption SDK with a local Master Key Provider instead of AWS KMS. I see from the documentation that the AWS Encryption SDK does indeed theoretically support the use of alternative Master Key Providers. However, I have not been able to find any tutorials or worked examples where this has been done. Has anyone performed such an implementation or can someone point me in the right direction to help me learn how to do it?

Thanks!

Topics
Security, Identity, & Compliance
Tags
AWS Key Management ServiceEncryption
Language
English
asked a year ago415 views
2 Answers
6
Accepted Answer

Hi Ellis,

please go through the below steps and AWS documentation link once i hope it will helps you to resolve your issue.

Install the AWS Encryption SDK:

Ensure you have the AWS Encryption SDK for Python installed. You can install it using pip:

pip install aws-encryption-sdk

Create a Custom master Key Provider:

You need to create a custom master key provider to manage your local encryption keys. Here's an example of how you can implement a simple master key provider:

import aws_encryption_sdk
from aws_encryption_sdk.key_providers.raw import RawMasterKeyProvider
from aws_encryption_sdk.identifiers import Algorithm

class MyRawMasterKeyProvider(RawMasterKeyProvider):
    provider_id = "my-provider-id"

    def __init__(self, key_id, key):
        super(MyRawMasterKeyProvider, self).__init__()
        self.key_id = key_id
        self.key = key

    def _get_raw_key(self, key_id):
        if key_id != self.key_id:
            raise aws_encryption_sdk.exceptions.UnknownKeyIdError(f"Unknown key ID: {key_id}")
        return self.key

# Example key (should be securely generated and stored in a real application)
my_key_id = "example-key-id"
my_key = b"this_is_a_32_byte_key__this_is_a_32_byte_key__"

mkp = MyRawMasterKeyProvider(key_id=my_key_id, key=my_key)

Encrypt Data:

Use the custom master key provider to encrypt your data. Here’s an example of how to do that:

plaintext = b"Hello, this is some plaintext to encrypt."

ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
    source=plaintext,
    key_provider=mkp,
    encryption_context={"purpose": "test encryption"}
)

print(f"Ciphertext: {ciphertext}")

Decrypt Data:

Similarly, you can decrypt the data using the same master key provider:

decrypted_plaintext, decryptor_header = aws_encryption_sdk.decrypt(
    source=ciphertext,
    key_provider=mkp
)

print(f"Decrypted plaintext: {decrypted_plaintext}")

Custom master Key Provider: The MyRawMasterKeyProvider class inherits from RawMasterKeyProvider and implements the _get_raw_key method, which returns the encryption key when the key ID matches.

Key Management: In this example, the key and key ID are hardcoded for simplicity. In a production environment, you should securely generate and store your keys.

Encryption Context: The encryption_context is an optional dictionary that provides additional authenticated data (AAD) for the encryption operation.

Notes

Security: Ensure that your key management practices are secure. Do not hardcode keys in your code for production use. Use secure storage solutions like HSMs or key management services that meet your security requirements.

Key Rotation: Implement key rotation policies to enhance security.

Performance: Consider the performance implications of your key provider implementation, especially if handling large volumes of data.

https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html

https://aws-encryption-sdk-python.readthedocs.io/en/latest/

https://github.com/aws/aws-encryption-sdk-python

EXPERT
answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
  • kumo-hiyori
    a year ago

    Alternative is to use Raw AES Keyring if you need to juggle around with multiple keys and don't want to deal with managing the key provider.

1

Hello,

You can take a look at this example of using multiple master key providers using AWS KMS key and an RSA key pair as the master keys. https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/python-example-code.html#python-example-multiple-providers

Hope this helps!

EXPERT
answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content