AWS SDK vs AWS Encryption SDK⌗

AWS SDK⌗

The AWS SDK helps you to build applications on AWS using AWS APIs within your favorite programming languages (Python, NodeJS, Ruby, Java, C#, Rust, Golang…and more.)

AWS Encryption SDK⌗

The AWS Encryption SDK is different from the commonly used AWS SDK as it comes with its proper API to ease the process of data encryption/decryption. Though it is a client side library, it can interact with the AWS KMS service just like we would do with the AWS SDK above.

Encryption with AWS⌗

Key Management Service aka KMS operates at different level to provide encryption, it could be at the disk level to encrypt EBS volume of your EC2 instances, RDS instances or other compute provisionned AWS services, KMS is also used in several ( all of them ? ) AWS managed services for data encryption, S3, DynamoDB are two great examples for storing data encrypted at rest.

Why would we need an encryption SDK ?⌗

As we just said, AWS KMS can perform encryption operations with almost all AWS services where customer data is stored - aka encryption at rest - or transmitted - aka in transit.

So why would we need an encryption sdk if our data is already safe ? There’s reasons for that, one is compliance.

A typical example that applies regarding regulation on data protection :
Data should be encrypted in transit, at rest - and - at the application level along with any columns on a SQL-like database that contains sensitive information, even a database administrator with full provileges access should not be able to retrieve them in clear.

Among other practical reasons to use the encryption SDK - If you :

Need to perform data encryption natively at the application level
Don’t have previous experience with encryption but you need to follow best practices
Have experience with data encryption and need a client library to avoid reinventing the wheel
Have to handle intensive encryption/decryption operations workloads, AWS Encryption SDK provides cryptographic materials caching capabilities, so you don’t need to query AWS KMS for every encryption/decryption operation, from a performance perspective this is a must, but it’s also good to remember that AWS APIs can throttle you if you query them too much.

Read more about Quotas here : https://docs.aws.amazon.com/kms/latest/developerguide/throttling.html

Caching cryptographic materials - Is it really safe ?⌗

Remember that performing a KMS key rotation on your CMK won’t save you from a data key that has been leaked. Read more here : https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

Usage with Python⌗

Here is a code snippet on how to encrypt data within a Python script with cryptographic materials caching.

First we need to install our Python SDK with pip package manager

 $ pip install aws-encryption-sdk

Then we create a file named sdk-demo.py - Call it whatever you like

Let’s start with initializing our encryption client along with our libraries imports

 import aws_encryption_sdk
 from aws_encryption_sdk.identifiers import CommitmentPolicy

 client = aws_encryption_sdk.EncryptionSDKClient(
     commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT
 )

Then we declare our KMS Key provider location, you should replace the KMS key ARN with yours.

 kms_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(key_ids=[
     'arn:aws:kms:us-east-1:xxxxxxxxx:key/xxxxxx-xxxxxx-xxxxx-xxxxxxxx'
 ])

Then we create the cached cryptographic material like this, where :

LocalCryptoMaterialsCache(10) is our maximum number of entries we can retain, please also note this is a LRU cache.
max_age=60.0 is the age in seconds for one entry to be kept in cache
max_messages_encrypted=100 is the number of messages we can encrypt using the cached material

Let’s do it :

 cache = aws_encryption_sdk.LocalCryptoMaterialsCache(10)

 caching_cmm = aws_encryption_sdk.CachingCryptoMaterialsManager(
         master_key_provider=kms_key_provider,
         cache=cache,
         max_age=60.0,
         max_messages_encrypted=100,
 )

Now let’s see how we encrypt data

my_data = b'Very secret data i need to encrypt'

encrypted_data, encryptor_header = client.encrypt(
     source=my_data,
     materials_manager=caching_cmm
)

That’s it, our variable encrypted_data now contains encrypted data that we could store in some place, like a database specific column or a key value, etc..

Now to retrieve our data, the decryption operation goes like this

 decrypted_data, decryptor_header = client.decrypt(
     source=encrypted_data,
     materials_manager=caching_cmm
 )

Finally we check our data is back

 print(decrypted_data)

AWS Encryption SDK