Asymmetric encryption in AWS KMS

Symmetric vs Asymmetric

Symmetric
1. Using the same key for encryption and decryption
2. Less secure, cannot share the key
3. No size limit
4. Using it to encrypt data

Asymmetric
1. Two set of symbols with mathematical relation, using public key to encrypt and private key to decrypt
2. More secure, can share the public key
3. Only small data can be encrypt
4. Use to encrypt another key or create digital signature

Steps summary
1. Create a new pair of key in KMS
2. Create alias for that pair of key
3. Encrypting the file
4. Decrypting the file

Steps detail
1. Create a new pair of key in KMS

By default the create-key command generate symmetric key, in this case we will specific the key spec — “RSA_4096”, which is one of the asymmetric key standard
As mentioned, asymmetric can use to encrypt data and also generate digital signature, so we have to specific the usage, in this case we will specific the usage — “ENCRYPT_DECRYPT”

aws kms create-key --key-spec RSA_4096 --key-usage ENCRYPT_DECRYPT --description asymmetric

2. Create alias for that pair of key

Using alias can assign a meaningful name. Also, during manual rotation, alias can be reference to another key, instead of modify the our application.

aws kms create-alias --alias-name alias/asymm-sample-key --target-key-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

3. Encrypting the file

We will use the ‘encrypt’ command to encrypt the file with specific key, the output will be base 64 encoded, then we will use the certutil to decode to binary data

aws kms encrypt --key-id alias/asymm-sample-key --encryption-algorithm RSAES_OAEP_SHA_256 --plaintext fileb://goodbye.txt --output text --query CiphertextBlob > goodbye.txt.base64

certutil -decode goodbye.txt.base64 goodbye.txt.encrypted

4. Decrypting the file

We will use the ‘decrypt’ command to decrypt the file with specific key, we can skip mention which key, because KMS will find the right key for us. The output will be base64 encoded, and this command told that it wants the ‘Plaintext’ field only and save into a file call ‘goodbye.txt.base64’, then we will use the certutil to decode to plaintext data.

aws kms decrypt --ciphertext-blob fileb://goodbye.txt.encrypted --encryption-algorithm RSAES_OAEP_SHA_256 --key-id alias/asymm-sample-key --output text --query Plaintext > goodbye.txt.base64

certutil -decode goodbye.txt.base64 goodbye.decrypted.txt