-
Notifications
You must be signed in to change notification settings - Fork 25
3.1
Paul Duvall edited this page Jan 7, 2020
·
12 revisions
Review and ensure that you have setup your development environment before going through the steps below. In particular, ensure that you have installed and configured Python and pip in Cloud9.
Client-side encryption is the act of encrypting data before sending it over the wire (i.e. in transit) or encrypting the data at rest (e.g in S3, RDS, etc.). You need to use the same key that you use to encrypt data in order to decrypt it.
- Go to the KMS Console.
- Click Customer managed keys and click the Create key button.
- Enter
ceoa-31-keyfor the Alias and Description and click Next. - on the Add tags page, enter
Nameandceoa-31-keyand click Next . - On the Define key administrative permissions page, select a checkbox next to a user or users who can adminster this key and click Next.
- On the Define key usage permissions page, select a checkbox next to a user or users who can use this key and click Next.
- On the Review and edit key policy page, review JSON policy and click Finish.
- Make note of the ARN for the KMS key you created.
mkdir ~/environment/ceoa
cd ~/environment/ceoa
pip3 install aws-encryption-sdk --user
touch ceoa-3-sdk.py
Copy the contents below into the file and save it.
import aws_encryption_sdk
kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
'arn:aws:kms:us-east-1:2222222222222:key/22222222-2222-2222-2222-222222222222',
'arn:aws:kms:us-east-1:3333333333333:key/33333333-3333-3333-3333-333333333333'
])
my_plaintext = b'This is secret data!!'
print ("my_plaintext %s\n" % my_plaintext)
my_ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
source=my_plaintext,
key_provider=kms_key_provider
)
print ("my_ciphertext %s\n" % my_ciphertext)
decrypted_plaintext, decryptor_header = aws_encryption_sdk.decrypt(
source=my_ciphertext,
key_provider=kms_key_provider
)
print ("decrypted_plaintext %s" % decrypted_plaintext)
assert my_plaintext == decrypted_plaintext
assert encryptor_header.encryption_context == decryptor_header.encryption_context
Run the Python program from the Cloud9 terminal to view the results.
python ceoa-3-sdk.py
- Introduction
- Labs
- The Current State of Encryption
- Setup Development Environment
- Lesson 1: Automating AWS Resources
- Lesson 2: Key Management
- Lesson 3: Developing with Encryption
- Lesson 4: Encryption in Transit
- Lesson 5: Encryption at Rest
- Lesson 6: Detecting Encrypted Resources
- Lesson 7: Logging and Searching KMS Keys
- Lesson 8: Continuous Encryption
- Summary