Related Articles

10 Comments

  1. 1

    GMan

    In your Python code, you generated “data_key” but never used it, other than printing the key out. Do you need to generate the “data_key” so that KMS has a data key registered for use during kms.encrypt() ? If you didn’t generate the data_key, would your code fail to work correctly?

    Reply
    1. 1.1

      Onur SALK

      Hi,

      It’s enough to generate the data_key. You can find the details here

      Reply
      1. 1.1.1

        Nandeesh

        From above example, how to extract the data from plain text, Like -> Very secret message!!

        in python

        Reply
        1. 1.1.1.1

          Onur SALK

          Can you explain your question?

          Reply
  2. Pingback: AWS Week in Review – May 25, 2015 | wart1949

  3. Pingback: AWS Week in Review – May 25, 2015 | php Technologies

  4. Pingback: AWS Week in Review – May 25, 2015 | SMACBUZZ

  5. 2

    Paul Pieralde

    You are simply encrypting/decrypting ‘message’ against your CMK which is fine for messages up to 4kb.

    Your Data Key should be used for envelope encryption.

    The AWS docs recommend to:
    1) generate a data key which is encrypted against your CMK
    2) get the plaintext key from the response
    3) locally encrypt your message against the plaintext key
    4) throw away the plaintext key
    5) store the encrypted message and the CiphertextBlob next to each other.

    To decrypt your data, pass the CiphertextBlob back to the KMS decrypt() method and get the plaintext key out of the response. Locally decrypt your message. Throw away the plaintext key.

    Reply
  6. 3

    morgan brickley (@morganbrickley)

    Hi Onur,

    encrypt and decrypt don’t use the data key, regardless of whether you’ve called generate_data_key(). They always call directly to the KMS service. To see this in action add

    boto3.set_stream_logger(name=’botocore’)

    to your script … and you’ll see the HTTP request traffic.

    Reply
    1. 3.1

      Onur SALK

      Hi Morgan,

      You’re right, Only encrypt and decrypt is enough. Thanks for informing!

      Reply

Leave a Reply to Nandeesh Cancel reply