AWS KMS

View original Gist on GitHub

AWS KMS.md

Thanks to Steven Jack for helping me understand this

The individual parts of AWS KMS are:

master key
encryptor key (encrypted and unencrypted forms)
app’s private key

Note: the “encryptor” is a key used to encrypt our private key

Here is a simple example to demonstrate the workflow:

Create a master key in KMS (how you do this is up to you: SDK, CLI, Console)
Locally (via the AWS cli tool or maybe even via a CI) call GenerateDataKey
When making this call: pass the name of the “master key” in KMS to use
This results in a temp key B (in both unencrypted and encrypted form) being provided
We can now encrypt key A using the unencrypted B key
We can discard both the unencrypted A and B keys (as we now have encrypted versions)
We can bake the encrypted keys (A and B) into our application (as they’re encrypted)
When our app needs to use key A, it needs to decrypt it
Our app uses KMS to decrypt the B key
Our app then uses the resulting unencrypted B key to decrypt our A encrypted key

Further comments from Steven Jack:

Imagine we have a Jenkins CI job that runs every week.
It has IAM perms to call GenerateDataKey for a specific master key.

Each week it generates a new random hash for the DB password,
get’s the temp encryption key,
encrypts it and pushes both the parts needed into a Kubernetes secrets store.

Once that’s done we simply re-deploy the containers, done.

The app has decrypt perms for that master key and on boot
give the param it has from the secrets store and get back
the unencrypted key and decrypt its secret, then uses it.