2.1

2.1 AWS Encryption SDK

Review and ensure that you have setup your development environment before going through the steps below. In particular, ensure that you have installed and configured Python and pip in Cloud9.

Create a Customer Master Key in AWS KMS

1. Go to the KMS Console.
2. Click Customer managed keys and click the Create key button.
3. Enter an Alias and a Description and click Next.
4. Click Next on the Add tags page.
5. On the Define key administrative permissions page, select a checkbox next to a user or users who can adminster this key and click Next.
6. On the Define key usage permissions page, select a checkbox next to a user or users who can use this key and click Next.
7. On the Review and edit key policy page, review JSON policy and click Finish.
8. Make note of the ARN for the KMS key you created.

Encrypt and Decrypt Text using the Encryption SDK

mkdir ~/environment/ceoa
cd ~/environment/ceoa
touch ceoa-2-sdk.py

Copy the contents below into the file

import aws_encryption_sdk

kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
    'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
    'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
])
my_plaintext = b'This is secret data!!'

print ("my_plaintext %s\n" % my_plaintext)

my_ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
    source=my_plaintext,
    key_provider=kms_key_provider
)

print ("my_ciphertext %s\n" % my_ciphertext)

decrypted_plaintext, decryptor_header = aws_encryption_sdk.decrypt(
    source=my_ciphertext,
    key_provider=kms_key_provider
)

print ("decrypted_plaintext %s" % decrypted_plaintext)


assert my_plaintext == decrypted_plaintext
assert encryptor_header.encryption_context == decryptor_header.encryption_context

Additional Resources

• Install and configure AWS Encryption SDK for Python
• AWS Encryption SDK for Python Open Source Repository