使用AWS KMS生成HMAC-SHA256

Question

我想使用AWS KMS生成纯文本的HMAC-SHA256值。

有没有可能在没有旋转的情况下这样做？因为，我只想使用一个键来散列所有的纯文本。我对AWS KMS了解不多，如果可能的话，你能分享一些关于使用KMS生成HMAC的资源吗？

Answer 1

ASP.NET MVC中的AWS KMS加密和解密

1普通密钥:在它的帮助下，你加密数据并删除它(密钥)(不需要在任何地方保存)。

2.encrypted data key :- you need to save this key to decrypt the data( to decrypt the data first you got plain key from aws using encrypted data key) and with the help of plain key you decrypt the data.

Note you need aws kms credentials like :-
a)serviceEndPoint b)awsKeyForKMS c)kmsConfig

Name space need to add from nuget package

using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model; 

**1) Encryption :-**
AmazonKeyManagementServiceConfig kmsConfig = new AmazonKeyManagementServiceConfig();
            kmsConfig.UseHttp = true;
            kmsConfig.ServiceURL = serviceEndPoint;           
                //create client, specify Region end point or kms config
                AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient(awsKeyForKMS, awsSecretKeyForKMS, kmsConfig);
                GenerateDataKeyRequest dataKeyReq = new GenerateDataKeyRequest();
                dataKeyReq.KeyId = keyARNForKMS;
                dataKeyReq.KeySpec = DataKeySpec.AES_256;//The length of the data encryption key. AES_256 to generate a 256-bit symmetric key.
                GenerateDataKeyResponse dataKeyResponse = kmsClient.GenerateDataKey(dataKeyReq);
                //read encrypted data key from memory
                MemoryStream streamCipherText = dataKeyResponse.CiphertextBlob;
               // need to save this key with encrypted data because with the help of it 
               // you can decrypt(you got plaindatakey) the data
                encryptedDataKey = Convert.ToBase64String(streamCipherText.ToArray());

                //read plain data key from memory
                MemoryStream streamPlainText = dataKeyResponse.Plaintext;
              // use this key to encrypt your data and than forgot this key
                plainDataKey = Convert.ToBase64String(streamPlainText.ToArray());    
               //your encryption logic
                Encryption encrypt = new Encryption();
                encrypt.EncryptTextForKms(PlainKey, "data to be encrypted")

**2.Decryption Data:-**

AmazonKeyManagementServiceConfig kmsConfig = new AmazonKeyManagementServiceConfig();
            kmsConfig.UseHttp = true;
            kmsConfig.ServiceURL = serviceEndPoint;
                //create client, specify Region end point or kms config
                AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient(awsKeyForKMS, awsSecretKeyForKMS, kmsConfig);
                DecryptRequest decryptRequest = new DecryptRequest();
// use hare above created encrypteddatakey to get plaindatakey
                MemoryStream streamEncryptedDataKey = new MemoryStream(Convert.FromBase64String(encryptedDataKey));//convert to stream object
                decryptRequest.CiphertextBlob = streamEncryptedDataKey;
                DecryptResponse decryptResp = kmsClient.Decrypt(decryptRequest);
                plainDataKey = Convert.ToBase64String(decryptResp.Plaintext.ToArray());
// your decryption logic
             DecryptTexts("encrypted data", PlainKey)