0

I'm using aws_encryption_sdk to encrypt and decrypt data. Once we hit an issue and our process stuck for ~24 hours. One of the hypotheses was that there was a problem with string value decryption, because of the significantly increased volume of data. I want to set a connection timeout and retry strategy.

Additional question: Does this SDK connect to AWS to get the key and then do the decryption on the client side or does it get the key using boto and then make another call to AWS with that key and the text to decrypt and the decryption happens on the server side?

I did some research but couldn't find anything.

Improve this question

1 Answer 1

Reset to default
1

AWS Encryption SDK uses "envelope encryption". Each ciphertext is encrypted with a randomly generated key. The data key is itself encrypted with the AWS KMS key (and/or with other keys) and the encrypted data key is stored with the ciphertext.

In terms of AWS KMS operations, this means that, when encrypting, the random key is sent to AWS KMS to be encrypted and an encrypted data key blob is returned. Conversely, when decrypting, the encrypted data key is sent to AWS KMS and the original data key is returned. The data key can then be used to decrypt the ciphertext.

So the payloads to/from AWS KMS are tiny: the 32 bit data key plus encryption context and the encrypted data key.

The client connects to AWS KMS only to encrypt/decrypt the data key. The data key is used by the client to encrypt/decrypt the actual message locally.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Is it possible to use the same data key to encrypt/decrypt multiple strings locally? Is that what I'm looking for docs.aws.amazon.com/encryption-sdk/latest/developer-guide/…?
Yes, that's the concept of data key caching. Note that caching is only effective if you use the same encryption context for each encryption - see: docs.aws.amazon.com/encryption-sdk/latest/developer-guide/…
Without cache: When I perform encrypting the data key is generated on the client side from the SDK and it is sent to AWS KMS. Then AWS KMS uses the master key that I have to generate manually from the AWS UI to encrypt the key. The encrypted data key and plaintext data key are returned to the SDK and then encryption is done on the client side. Is that correct? When I perform decrypting the SDK sends the encrypted data key to AWS KMS then the data key is encrypted with the master key and it returns to the client. And the decryption is performed then. Is that correct?
yes, other than: AWS KMS then the data key is decrypted with the master key
@RichardHeap could you pls take a look at this: stackoverflow.com/q/78170741/6407858

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.