Encrypt and Decrypt Process for AWS KMS
Question
You are developing a Java-based application that needs to make use of the AWS KMS service for encryption.
Which of the following must be done for the encryption and decryption process? Choose 2 answers from the options given below.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B and D.
The AWS Documentation mentions the following.
The AWS Encryption SDK is a client-side encryption library that makes it easier for you to implement cryptography best practices in your application.
It includes secure default behaviour for developers who are not encryption experts, while being flexible enough to work for the most experienced users.
Options A and C are incorrect because you should never use the Customer master keys directly to encrypt the decryption process.
In the AWS Encryption SDK, by default, you generate a new data key for each encryption operation.
For more information on the Encryption SDK, please refer to the below URL-
https://docs.aws.amazon.com/kms/latest/developerguide/programming-top.htmlNote:
AWS Docs Says.
"When you encrypt your data, your data is protected, but you have to protect your encryption key.
One strategy is to encrypt it.
Envelope encryption is the practice of encrypting plaintext data with a data key and then encrypting the data key under another key.
You can even encrypt the data encryption key under another encryption key and encrypt that encryption key with another encryption key.
But, eventually, one key must remain in plaintext so you can decrypt the keys and your data.
This top-level plaintext key encryption key is known as the master key."
For more information on the enveloping, please refer to the below URL-
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#envelopingAWS Key Management Service (KMS) is a managed service that allows you to create and control the encryption keys used to encrypt your data. You can use the AWS KMS service to encrypt and decrypt data at rest and in-transit in various AWS services and in your own applications.
When using the AWS KMS service for encryption and decryption, you must perform the following two steps:
Generate a Data Encryption Key (DEK): This key is used to encrypt the data that you want to protect.
Protect the DEK: The DEK is then encrypted with a Master Key, which is used to protect the DEK. This is the key that you use to encrypt and decrypt the data.
Therefore, the correct answers to the question are:
B. Use the Customer master key to generate a data key for the encryption process.
D. Use the generated data key to decrypt the data.
The Customer master key is used to generate a unique Data Encryption Key (DEK) that will be used to encrypt the data. The generated data key is then used to encrypt the data. To decrypt the data, you will use the same data key that was used to encrypt it.
Option A is incorrect because you use the Customer master key to generate a data key, not to encrypt the data directly.
Option C is incorrect because you use the Customer master key to encrypt the data key, not to decrypt the data.
In summary, AWS KMS uses a Customer master key to encrypt and decrypt data, but it generates a Data Encryption Key (DEK) that is used to encrypt and decrypt the actual data.
