Related Articles


  1. 1


    In your Python code, you generated “data_key” but never used it, other than printing the key out. Do you need to generate the “data_key” so that KMS has a data key registered for use during kms.encrypt() ? If you didn’t generate the data_key, would your code fail to work correctly?

    1. 1.1

      Onur SALK


      It’s enough to generate the data_key. You can find the details here

      1. 1.1.1


        From above example, how to extract the data from plain text, Like -> Very secret message!!

        in python


          Onur SALK

          Can you explain your question?

  2. Pingback: AWS Week in Review – May 25, 2015 | wart1949

  3. Pingback: AWS Week in Review – May 25, 2015 | php Technologies

  4. Pingback: AWS Week in Review – May 25, 2015 | SMACBUZZ

  5. 2

    Paul Pieralde

    You are simply encrypting/decrypting ‘message’ against your CMK which is fine for messages up to 4kb.

    Your Data Key should be used for envelope encryption.

    The AWS docs recommend to:
    1) generate a data key which is encrypted against your CMK
    2) get the plaintext key from the response
    3) locally encrypt your message against the plaintext key
    4) throw away the plaintext key
    5) store the encrypted message and the CiphertextBlob next to each other.

    To decrypt your data, pass the CiphertextBlob back to the KMS decrypt() method and get the plaintext key out of the response. Locally decrypt your message. Throw away the plaintext key.

  6. 3

    morgan brickley (@morganbrickley)

    Hi Onur,

    encrypt and decrypt don’t use the data key, regardless of whether you’ve called generate_data_key(). They always call directly to the KMS service. To see this in action add


    to your script … and you’ll see the HTTP request traffic.

    1. 3.1

      Onur SALK

      Hi Morgan,

      You’re right, Only encrypt and decrypt is enough. Thanks for informing!

  7. 4


    how to get the key id of only customer managed keys.
    I am trying to get the count of keys from customer managed keys.
    I have written code to get the count

    resp = conn.list_keys()
    for keys in resp:
    print(“kms” + str(len(kms_count)))

    but i am getting both aws and customer managed keys count.
    can you help here


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.