AWS KMS是否使用信封加密？

Question

加密AWS KMS允许的最大数据大小为4kb，因此每当我们在AWS服务/资源中使用加密时，是否使用信封加密进行加密?即，数据在资源端使用密钥加密，密钥使用另一个密钥(Cmk)加密并与数据一起存储，解密的顺序与上述步骤相反。我的理解正确吗？？

Answer 1

可能吧。至少对于S3来说是这样的。

服务器端加密可保护静态数据。亚马逊S3使用唯一的密钥对每个对象进行加密。作为额外的安全措施，它使用定期轮换的主密钥对密钥本身进行加密。亚马逊S3服务器端加密使用最强大的分组密码之一来加密您的数据，256位高级加密标准(

)。

Answer 2

通常，CMK不用于加密您要加密的数据。

虽然对4kb的限制有不同的看法，但数据加密密钥提供了一种更安全的方法来加密数据。

因为每个资源都可能有自己的数据加密密钥，所以如果一个加密密钥被泄露，所有资源被解密的风险就会降低(事实上，如果发生这种情况，KMS支持重新加密以生成新的数据密钥)。

您所描述的内容对于KMS的S3实现是正确的。Base64编码的加密密钥与它加密的对象一起存储。要解密S3，需要使用主密钥来解密对象的数据密钥，然后使用解密后的数据加密密钥来解密对象。

其他服务将有不同的实现，例如DynamoDB does this on a per table basis。

有关每个服务如何实现KMS的更多信息，请查看How AWS Services use AWS KMS页面

Answer 3

Aws kms does not store any data it provide you two keys

1 plain key : with the help of it you encrypt the data and delete it(key)(no need to save anywhere).

2.encrypted data key :- you need to save this key to decrypt the data( to decrypt the data first you got plain key from aws using encrypted data key) and with the help of plain key you decrypt the data.

Note you need aws kms credentials like :-
a)serviceEndPoint b)awsKeyForKMS c)kmsConfig

asp.net mvc中的KMS加密与解密

Name space need to add from nuget packeg

using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model; 

**1) Encryption :-**
AmazonKeyManagementServiceConfig kmsConfig = new AmazonKeyManagementServiceConfig();
            kmsConfig.UseHttp = true;
            kmsConfig.ServiceURL = serviceEndPoint;           
                //create client, specify Region end point or kms config
                AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient(awsKeyForKMS, awsSecretKeyForKMS, kmsConfig);
                GenerateDataKeyRequest dataKeyReq = new GenerateDataKeyRequest();
                dataKeyReq.KeyId = keyARNForKMS;
                dataKeyReq.KeySpec = DataKeySpec.AES_256;//The length of the data encryption key. AES_256 to generate a 256-bit symmetric key.
                GenerateDataKeyResponse dataKeyResponse = kmsClient.GenerateDataKey(dataKeyReq);
                //read encrypted data key from memory
                MemoryStream streamCipherText = dataKeyResponse.CiphertextBlob;
               // need to save this key with encrypted data because with the help of it 
               // you can decrypt(you got plaindatakey) the data
                encryptedDataKey = Convert.ToBase64String(streamCipherText.ToArray());

                //read plain data key from memory
                MemoryStream streamPlainText = dataKeyResponse.Plaintext;
              // use this key to encrypt your data and than forgot this key
                plainDataKey = Convert.ToBase64String(streamPlainText.ToArray());    
               //your encryption logic
                Encryption encrypt = new Encryption();
                encrypt.EncryptTextForKms(PlainKey, "data to be encrypted")

**2.Decryption Data:-**

AmazonKeyManagementServiceConfig kmsConfig = new AmazonKeyManagementServiceConfig();
            kmsConfig.UseHttp = true;
            kmsConfig.ServiceURL = serviceEndPoint;
                //create client, specify Region end point or kms config
                AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient(awsKeyForKMS, awsSecretKeyForKMS, kmsConfig);
                DecryptRequest decryptRequest = new DecryptRequest();
// use hare above created encrypteddatakey to get plaindatakey
                MemoryStream streamEncryptedDataKey = new MemoryStream(Convert.FromBase64String(encryptedDataKey));//convert to stream object
                decryptRequest.CiphertextBlob = streamEncryptedDataKey;
                DecryptResponse decryptResp = kmsClient.Decrypt(decryptRequest);
                plainDataKey = Convert.ToBase64String(decryptResp.Plaintext.ToArray());
// your decryption logic
             DecryptTexts("encrypted data", PlainKey)