Easily create and control the keys used to encrypt or digitally sign your data
AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
Try AWS Key Management Service
AWS Free Tier includes 20,000 free AWS Key Management Service requests each month.
Benefits
AWS Key Management Service ( AWS KMS ) A managed service that enables you to easily encrypt your data. KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services. Nov 12, 2019 If you are converting a computer from a KMS host, MAK, or retail edition of Windows to a KMS client, install the applicable setup key (GVLK) from the following tables. To install a client setup key, open an administrative command prompt on the client, type slmgr /ipk setup key and then press Enter.
Fully managed
You control access to your encrypted data by defining permissions to use keys while AWS KMS enforces your permissions and handles the durability and physical security of your keys.
Centralized key management
AWS KMS presents a single control point to manage keys and define policies consistently across integrated AWS services and your own applications. You can easily create, import, rotate, delete, and manage permissions on keys from the AWS Management Console or by using the AWS SDK or CLI.
Learn more >>
Manage encryption for AWS services
AWS KMS is integrated with AWS services to simplify using your keys to encrypt data across your AWS workloads. You choose the level of access control that you need, including the ability to share encrypted resources between accounts and services. KMS logs all use of keys to AWS CloudTrail to give you an independent view of who accessed your encrypted data, including AWS services using them on your behalf.
Learn more >>
Encrypt data in your applications
AWS KMS is integrated with the AWS Encryption SDK to enable you to used KMS-protected data encryption keys to encrypt locally within your applications. Using simple APIs you can also build encryption and key management into your own applications wherever they run.
Learn more >>
Digitally sign data
AWS KMS enables you to perform digital signing operations using asymmetric key pairs to ensure the integrity of your data. Recipients of digitally signed data can verify the signatures whether they have an AWS account or not.
Learn more >>
Low cost
There is no commitment and no upfront charges to use AWS KMS. You only pay US $1/month to store any key that you create. AWS managed keys that are created on your behalf by AWS services are free to store. You are charged per-request when you use or manage your keys beyond the free tier.
Learn more >>
Secure
AWS KMS uses hardware security modules (HSMs) that have been validated under FIPS 140-2, or are in the process of being validated, to generate and protect keys. Your keys are only used inside these devices and can never leave them unencrypted. KMS keys are never shared outside the AWS region in which they were created.
Learn more >>
Compliance
The security and quality controls in AWS KMS have been certified under multiple compliance schemes to simplify your own compliance obligations. AWS KMS provides the option to store your keys in single-tenant HSMs in AWS CloudHSM instances that you control.
Learn more >>
Built-in auditing
AWS KMS is integrated with AWS CloudTrail to record all API requests, including key management actions and usage of your keys. Logging API requests helps you manage risk, meet compliance requirements and conduct forensic analysis.
Learn more >>
Blog posts & articles
Read about AWS Key Management Service security, compliance, and availability.
Learn more Instantly get access to the AWS Free Tier.
Sign up Get started building with AWS Key Management Service in the AWS Console.
Sign in The example program uses AWS KMS keys to encrypt and decrypt a file.
A master key, also called a Customer Master Key or CMK, is created and used to generate a data key.The data key is then used to encrypt a disk file. The encrypted data key is stored withinthe encrypted file. To decrypt the file, the data key is decrypted and then used to decryptthe rest of the file. This manner of using master and data keys is called envelope encryption.
To encrypt and decrypt data, the example uses the well-known Python cryptography package.This package is not part of the Python standard library and must be installed separately, forexample, with the pip command.
Each section describes a single function from the example's entiresource file.
Retrieve an Existing Master Key¶
Master keys are created, managed, and stored within AWS KMS. A KMS master key is also referred toas a customer master key or CMK. An AWS storage cost is incurred for each CMK, therefore, one CMK isoften used to manage multiple data keys.
Generate Data Key From Kms Pdf
The example retrieve_cmk function searches for an existing CMK. A key description is specifiedwhen a CMK is created, and this description is used to identify and retrieve the desired key. Ifmany CMKs exist, they are processed in batches until either the desired key is found or all keys areexamined.
If the example function finds the desired CMK, it returns both the CMK's ID and its ARN (AmazonResource Name). Either of these identifiers can be used to reference the CMK in subsequent callsto AWS KMS methods.
Create a Customer Master Key¶
If the example does not find an existing CMK, it creates a new one and returns its ID and ARN.
Create a Data Key¶
Generate Data Key Kms
To encrypt a file, the example create_data_key function creates a data key. The data key iscustomer managed and does not incur an AWS storage cost. The example creates a data key foreach file it encrypts, but it's possible to use a single data key to encrypt multiple files.
Generate Kms Key
The example function returns the data key in both its plaintext and encrypted forms. Theplaintext form is used to encrypt the data. The encrypted form will be stored with the encryptedfile. The data key is associated with a CMK which is capable of decrypting the encrypted data keywhen necessary.
Encrypt a File¶
The encrypt_file function creates a data key and uses it to encrypt the contents of a disk file.
The encryption operation is performed by a Fernet object created by the Python cryptographypackage.
The encrypted form of the data key is saved within the encrypted file and will be used in the futureto decrypt the file. The encrypted file can be decrypted by any program with the credentials todecrypt the encrypted data key.
Decrypt a Data Key¶
To decrypt an encrypted file, the encrypted data key used to perform the encryption must firstbe decrypted. This operation is performed by the example decrypt_data_key function which returnsthe plaintext form of the key.
Decrypt a File¶
The example decrypt_file function first extracts the encrypted data key from the encrypted file. Itthen decrypts the key to get its plaintext form and uses that to decrypt the file contents.
The decryption operation is performed by a Fernet object created by the Python cryptographypackage.