AWS KMS 是否使用信封加密？

Question

AWS KMS 允许的加密最大数据大小为 4kb，所以每当我们在 AWS 服务/资源中使用加密时，是否使用信封加密完成加密？ ，即数据在资源端本身用密钥加密，密钥用另一个密钥（cmk）加密并与数据一起存储，解密以上述步骤的相反顺序进行。我的理解对吗？

Answer 1

大概吧。 S3 似乎至少是这样的：

服务器端加密保护静态数据。 Amazon S3 使用唯一密钥加密每个对象。作为额外的保护措施，它使用定期轮换的主密钥对密钥本身进行加密。 Amazon S3 服务器端加密使用可用于加密数据的最强分组密码之一，即 256 位高级加密标准 (AES-256)。

Answer 2

通常，CMK 不用于加密您要加密的数据。

虽然对 4kb 限制有意见，但数据加密密钥提供了一种更安全的数据加密方法。

因为每个资源都可以有自己的数据加密密钥，所以如果单个加密密钥被泄露（事实上，如果发生这种情况，KMS 支持重新加密以生成新的数据密钥）解密所有资源的风险会降低。

您所描述的对于 KMS 的 S3 实施是正确的。 Base64 编码的加密密钥与它加密的对象一起存储。解密 S3 需要使用 CMK 解密对象的数据密钥，然后使用解密的数据加密密钥解密对象。

其他服务会有不同的实现，例如DynamoDB does this on a per table basis。

有关每个服务如何实施 KMS 的更多信息，请查看How AWS Services use AWS KMS 页面

Answer 3

Aws kms does not store any data it provide you two keys

1 plain key : with the help of it you encrypt the data and delete it(key)(no need to save anywhere).

2.encrypted data key :- you need to save this key to decrypt the data( to decrypt the data first you got plain key from aws using encrypted data key) and with the help of plain key you decrypt the data.

Note you need aws kms credentials like :-
a)serviceEndPoint b)awsKeyForKMS c)kmsConfig

asp.net mvc中的KMS加解密

Name space need to add from nuget packeg

using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model; 

**1) Encryption :-**
AmazonKeyManagementServiceConfig kmsConfig = new AmazonKeyManagementServiceConfig();
            kmsConfig.UseHttp = true;
            kmsConfig.ServiceURL = serviceEndPoint;           
                //create client, specify Region end point or kms config
                AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient(awsKeyForKMS, awsSecretKeyForKMS, kmsConfig);
                GenerateDataKeyRequest dataKeyReq = new GenerateDataKeyRequest();
                dataKeyReq.KeyId = keyARNForKMS;
                dataKeyReq.KeySpec = DataKeySpec.AES_256;//The length of the data encryption key. AES_256 to generate a 256-bit symmetric key.
                GenerateDataKeyResponse dataKeyResponse = kmsClient.GenerateDataKey(dataKeyReq);
                //read encrypted data key from memory
                MemoryStream streamCipherText = dataKeyResponse.CiphertextBlob;
               // need to save this key with encrypted data because with the help of it 
               // you can decrypt(you got plaindatakey) the data
                encryptedDataKey = Convert.ToBase64String(streamCipherText.ToArray());

                //read plain data key from memory
                MemoryStream streamPlainText = dataKeyResponse.Plaintext;
              // use this key to encrypt your data and than forgot this key
                plainDataKey = Convert.ToBase64String(streamPlainText.ToArray());    
               //your encryption logic
                Encryption encrypt = new Encryption();
                encrypt.EncryptTextForKms(PlainKey, "data to be encrypted")

**2.Decryption Data:-**

AmazonKeyManagementServiceConfig kmsConfig = new AmazonKeyManagementServiceConfig();
            kmsConfig.UseHttp = true;
            kmsConfig.ServiceURL = serviceEndPoint;
                //create client, specify Region end point or kms config
                AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient(awsKeyForKMS, awsSecretKeyForKMS, kmsConfig);
                DecryptRequest decryptRequest = new DecryptRequest();
// use hare above created encrypteddatakey to get plaindatakey
                MemoryStream streamEncryptedDataKey = new MemoryStream(Convert.FromBase64String(encryptedDataKey));//convert to stream object
                decryptRequest.CiphertextBlob = streamEncryptedDataKey;
                DecryptResponse decryptResp = kmsClient.Decrypt(decryptRequest);
                plainDataKey = Convert.ToBase64String(decryptResp.Plaintext.ToArray());
// your decryption logic
             DecryptTexts("encrypted data", PlainKey)