This activity will demonstrate how to encrypt and decrypt data using AWS KMS via the AWS CLI on a Windows machine.
A Windows environment with AWS CLI installed and configured with appropriate credentials.
Permissions to create and manage KMS keys in your AWS account.
The OpenSSL utility installed on your Windows machine. You can download a binary distribution for Windows from a reliable source like the OpenSSL website or a third-party distributor.
Run the following PowerShell command to create a Customer Managed Key (CMK) in AWS KMS:
aws kms create-key --description "apper-demo" --region ap-southeast-1
Note: The output of this command contains the KeyId you'll need later.To make the CMK easier to reference, create an alias. Replace with the KeyId from the previous step.
aws kms create-alias --target-key-id <key-id-here> --alias-name "alias/apper-demo" --region ap-southeast-1Navigate to the AWS KMS console to confirm that the alias (alias/apper-demo) is associated with the new CMK.
Run this PowerShell command to generate a data key using your CMK:
aws kms generate-data-key --key-id alias/apper-demo --key-spec AES_256 --region ap-southeast-1The response will include:
Plaintext: The unencrypted data key (base64-encoded). CiphertextBlob: The encrypted data key (base64-encoded). KeyId: The ID of the CMK. Important: The Plaintext value is only shown once. Do not close your terminal until you have saved it.
Save the CiphertextBlob to a file. Replace with the value from the previous step.
"$(<ciphertext-blob>)" | Out-File -FilePath datakey_ciphertext_base64.txt -Encoding asciiSave the Plaintext to a file. Replace <plaintext> with the value from step 2-a.
"$(<plaintext>)" | Out-File -FilePath datakey_plaintext_base64.txt -Encoding asciiWe need to decode the base64-encoded plaintext key. On Windows, we'll use certutil.
certutil -decode datakey_plaintext_base64.txt datakey_plaintext_decoded.txtThis creates a file named datakey_plaintext_decoded.txt containing the raw, decoded plaintext key.
First, create a new text file named message.txt with the secret message: "This is a confidential message and should be encrypted".
Next, use OpenSSL to encrypt the message file with the decoded plaintext key. We'll use the -pass file: option to read the key directly from our decoded file.
openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -pass file:./datakey_plaintext_decoded.txt -in message.txt -out secret_message.txtThis creates secret_message.txt, which contains the encrypted data.
For security, delete the plaintext files you no longer need.
Remove-Item datakey_plaintext_base64.txt, datakey_plaintext_decoded.txt, message.txtDecode the base64-encoded ciphertext blob from the file created in step 2-b.
certutil -decode datakey_ciphertext_base64.txt datakey_ciphertext_decoded.txtThis creates datakey_ciphertext_decoded.txt containing the decoded ciphertext.
Retrieve the plaintext key by decrypting the ciphertext with the CMK.
aws kms decrypt --ciphertext-blob fileb://datakey_ciphertext_decoded.txt --region ap-southeast-1The output will again contain the Plaintext key.
Repeat steps 2-c and 3-a to store and decode the plaintext you just retrieved:
Save the Plaintext from the previous step to a new file.
"$(<plaintext-from-decrypt>)" | Out-File -FilePath datakey_plaintext_base64.txt -Encoding asciiDecode it using certutil.
certutil -decode datakey_plaintext_base64.txt datakey_plaintext_decoded.txtDecrypt the encrypted message file using the decoded plaintext key.
openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -pass file:./datakey_plaintext_decoded.txt -in secret_message.txtThis command will output the original message: "This is a confidential message and should be encrypted".
To clean up your AWS resources, schedule the CMK for deletion. Replace with your CMK's KeyId.
aws kms schedule-key-deletion --key-id <key-id-here> --pending-window-in-days 7 --region ap-southeast-1Before the key can be deleted, remove its alias.
aws kms delete-alias --alias-name alias/apper-demo --region ap-southeast-1