3.1 3.1 AWS Encryption SDK

Review and ensure that you have setup your development environment before going through the steps below. In particular, ensure that you have installed and configured Python and pip in Cloud9.

Client-side encryption is the act of encrypting data before sending it over the wire (i.e. in transit) or encrypting the data at rest (e.g in S3, RDS, etc.). You need to use the same key that you use to encrypt data in order to decrypt it.

Create a Customer Master Key in AWS KMS

Go to the KMS Console.
Click Customer managed keys and click the Create key button.
Enter ceoa-31-key for the Alias and Description and click Next.
On the Add tags page, enter Name and ceoa-31-key and click Next .
On the Define key administrative permissions page, select a checkbox next to a user or users who can administer this key and click Next.
On the Define key usage permissions page, select a checkbox next to a user or users who can use this key and click Next.
On the Review and edit key policy page, review JSON policy and click Finish.
Make note of the ARN for the KMS key you created.

Encrypt and Decrypt Text using the Encryption SDK

In this example, you will use the AWS Encryption SDK to encrypt and then decrypt some plain text using Python.

You will install the aws-encryption-sdk package using the pip package manager. You must have an existing KMS key in order to encrypt the text. If you need to decrypt this text later, you will need to use the same KMS key in order to decrypt it.

mkdir ~/environment/ceoa
cd ~/environment/ceoa
pip3 install aws-encryption-sdk --user
touch ceoa-3-sdk.py

Copy the contents from ceoa-3-sdk.py to your local ceoa-3-sdk.py file in Cloud9 and save it. Replace arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222 and arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333 with the KMS ARNs that you want to use from KMS.

Run the Python program from the Cloud9 terminal to view the results.

python ceoa-3-sdk.py

When running the Python program, it will use the AWS Encryption SDK to encrypt and decrypt some plain text. The cipher and decrypted text will display.

3.1

3.1 AWS Encryption SDK

Create a Customer Master Key in AWS KMS

Encrypt and Decrypt Text using the Encryption SDK

Additional Resources

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally