AmazonKMS Class
Properties Methods Events Configuration Settings Errors
The AmazonKMS class provides an easy-to-use interface for Amazon's Key Management Service.
Syntax
cloudkeys.Amazonkms
Remarks
The AmazonKMS class makes it easy to work with the Amazon Key Management Service (KMS) in a secure manner using TLS. Amazon KMS allows you to create, manage, and use customer master keys (CMKs) for cryptographic operations. You can also work with aliases, and generate data keys and data key pairs.
To begin, register for an AWS account and obtain an AccessKey and SecretKey to use for authentication. Once one or more CMKs have been created, either via the AWS console (recommended) or this API, you'll be ready to start using the class to manage and use the CMKs.
Resource Terminology
As implied above, there are three kinds of resources associated with Amazon KMS. The primary resource type is the customer master key, or "CMK". CMKs can be symmetric or asymmetric, and can be used either for encryption and decryption, or signing and verification. CMKs themselves can never leave the Amazon cloud, they are used for server-side cryptographic operations only. This is a security feature, but it does mean that the amount of data that can be processed in a CMK-based cryptographic operation is relatively small.
To work around the small server-side cryptographic operation data limit, Amazon KMS also supports the generation of data keys (symmetric) and data key pairs (asymmetric), which can then be used outside of Amazon KMS in order to encrypt/decrypt and sign/verify larger amounts data. KMS itself only generates these keys, it does not track them or make use of them for cryptographic operations. However, it does encrypt the data key (or, for data key pairs, the private key) using a CMK when it is generated, which means that the key must be decrypted using a CMK each time it needs to be used. For more information, refer to Amazon's Envelope Encryption description, which details the many security benefits of this strategy.
The last resource is called an alias. Aliases provide friendly names for CMKs, which can otherwise only be identified by their Id or Amazon resource name (ARN). Since an alias is a standalone resource, it can be created and deleted without affecting the CMK it refers to. It can also be updated to refer to a different CMK at any time.
Note: CMKs and aliases are region-specific resources. That is, CMKs and aliases cannot be accessed or used outside of the region that they reside in.
Using the Class
CMKs can be created using the CreateKey method. A CMK's key spec (i.e., whether it is symmetric or asymmetric, and in the latter case, what kind of asymmetric) and usage (i.e., whether it is for encryption/decryption or signing/verification) must be set at the time of creation, and they cannot be changed later. A description of the CMK can also be provided when it is created, and can be changed at any time using the UpdateKeyDescription method.
When a CMK will no longer be used, it can be scheduled for deletion using the ScheduleKeyDeletion method. AWS requires that CMKs remain in a "pending deletion" state for at least seven days to help ensure that they are truly no longer needed. If at any time during the waiting period it is discovered that the CMK is still needed, the deletion can be canceled using the CancelKeyDeletion method (CMKs cannot be used while they are pending deletion).
// The CreateKey method returns the Amazon resource name of the newly-created CMK.
string keyArn = kms.CreateKey("SYMMETRIC_DEFAULT", false, "Test key");
// ... Some time later ...
// Schedules the CMK for deletion in 15 days.
kms.ScheduleKeyDeletion(keyArn, 15);
Aliases can be created and deleted using the CreateAlias and DeleteAlias methods. Also, while aliases can be updated to refer to a different CMK at any time during their lifetime. Note that all alias names must begin with the prefix alias/ (but cannot begin with alias/aws/, which is a reserved prefix).
kms.CreateAlias("alias/MyTestKey", keyArn);
kms.UpdateAlias("alias/MyTestKey", otherKeyArn);
kms.DeleteAlias("alias/MyTestKey"); // Only deletes the alias; the CMK it refers to is unaffected.
To list CMKs or aliases, use the ListKeys and ListAliases methods. For the former, the IncludeKeyDetails property can optionally be enabled to have the class attempt to retrieve the full information for each CMK (Amazon only returns the CMK's ARN and Id while listing).
// If there are many CMKs to list, there may be multiple pages of results. This will
// cause all pages of results to be accumulated into the Keys collection property.
do {
kms.ListKeys();
} while (!string.IsNullOrEmpty(kms.KeyMarker));
foreach (AWSKey key in kms.Keys) {
Console.WriteLine(key.ARN);
}
Depending on a CMK's usage, it can be used to perform different cryptographic operations. CMKs with encryption/decryption usage can be used in Encrypt, Decrypt, and ReEncrypt operations. CMKs with sign/verify usage can be used in Sign and Verify operations. To perform a cryptographic operation, use InputData, InputFile, or SetInputStream to supply the input data that should be processed. All operations will output the result data to OutputData, OutputFile, or SetOutputStream (except Verify; refer to its documentation for more information).
// Create an asymmetric CMK with encrypt/decrypt usage.
string keyArn = kms.CreateKey("RSA_4096", false, "Encryption Key #237");
// Encrypt the string "Test123" and write the encrypted data to an output file.
kms.InputData = "Test123";
kms.OutputFile = "C:/temp/enc.dat";
kms.Encrypt(keyArn, "RSAES_OAEP_SHA_256");
// ...Later, decrypt the data again.
kms.InputFile = "C:/temp/enc.dat";
kms.OutputFile = ""; // So that the data will be output to the OutputData property.
kms.Decrypt(keyArn, "RSAES_OAEP_SHA_256");
It's important to note that the amount of data that can be processed in server-side cryptographic operations is very small. For signing operations, it is limited to 4096 bytes; for encryption operations, the limit varies based on the selected CMK's key spec and the selected encryption algorithm (see the Encrypt method's documentation for more information).
To work around this issue, Amazon KMS supports the generation of data keys and data key pairs (described above) which can be used locally to encrypt/decrypt or sign/verify large amounts of data. To generate a data key or a data key pair, call the GenerateDataKey and GenerateDataKeyPair methods.
// Generates a data key, including a plaintext copy.
// The encrypted copy is encrypted by the specified CMK.
kms.GenerateDataKey("AES_256", keyArn, true);
// The resulting information is stored in the following properties:
// kms.KeyData.ARN: The ARN of the CMK used to encrypt the data key.
// kms.KeyData.EncryptedKey: The encrypted copy of the data key.
// kms.KeyData.KeySpec: The spec of the generated data key.
// kms.KeyData.PlaintextKey: The plaintext copy of the data key (if it was requested).
// Generates a data key pair, including plaintext copy.
// The encrypted copy of the private key is encrypted by the specified CMK.
kms.GenerateDataKeyPair("ECC_NIST_P384", keyArn, true);
// The resulting information is stored in the following properties:
// kms.KeyData.ARN: The ARN of the CMK used to encrypt the data key pair's private key.
// kms.KeyData.EncryptedKey: The encrypted copy of the private key.
// kms.KeyData.KeySpec: The spec of the generated data key pair.
// kms.KeyData.PlaintextKey: The plaintext copy of the private key (if it was requested).
// kms.KeyData.PublicKey: The data key pair's public key.
The class also supports a variety of other functionality, including:
- Retrieval of an asymmetric CMK's public key with GetPublicKey.
- Enabling and disabling CMKs with SetKeyEnabled.
- Automatic rotation of CMKs with GetKeyRotationStatus and SetKeyRotationStatus.
- Encryption contexts for Encrypt, Decrypt, and ReEncrypt.
- And more!
Property List
The following is the full list of the properties of the class with short descriptions. Click on the links for further details.
AccessKey | The access key to use for authentication. |
Aliases | A collection of aliases. |
AliasMarker | A marker indicating what page of aliases to return next. |
EncryptionContext | A collection of encryption context items. |
Firewall | A set of properties related to firewall access. |
Idle | The current status of the class. |
IncludeKeyDetails | Whether to attempt to retrieve full details when listing CMKs. |
InputData | The data to process. |
InputFile | The file whose data should be processed. |
KeyData | The downloaded key information. |
KeyMarker | A marker indicating what page of CMKs to return next. |
Keys | A collection of keys. |
LocalHost | The name of the local host or user-assigned IP interface through which connections are initiated or accepted. |
OtherHeaders | Other headers as determined by the user (optional). |
OutputData | The output data. |
OutputFile | The file to which output data should be written. |
Overwrite | Whether the output file should be overwritten if necessary. |
ParsedHeaders | Collection of headers returned from the last request. |
Proxy | A set of properties related to proxy access. |
QueryParams | Additional query parameters to be included in the request. |
Region | The region that the class will make requests against. |
SecretKey | The secret key to use for authentication. |
SSLAcceptServerCert | Instructs the class to unconditionally accept the server certificate that matches the supplied certificate. |
SSLCert | The certificate to be used during SSL negotiation. |
SSLServerCert | The server certificate for the last established connection. |
Timeout | A timeout for the class. |
Method List
The following is the full list of the methods of the class with short descriptions. Click on the links for further details.
AddEncryptionContextItem | Adds an item to the EncryptionContext properties. |
AddQueryParam | Adds a query parameter to the QueryParams properties. |
CancelKeyDeletion | Cancels the deletion of the specified CMK. |
ClearKeyData | Clears information stored in the KeyData properties. |
Config | Sets or retrieves a configuration setting. |
CreateAlias | Creates a new alias. |
CreateKey | Creates a new CMK. |
Decrypt | Decrypts data using a CMK. |
DeleteAlias | Deletes an alias. |
DoEvents | Processes events from the internal message queue. |
Encrypt | Encrypts data using a CMK. |
GenerateDataKey | Generates a data key that can be used outside of Amazon KMS. |
GenerateDataKeyPair | Generates a data key pair that can be used outside of Amazon KMS. |
GenerateRandomBytes | Generates a cryptographically-secure random byte string. |
GetKeyInfo | Gets information about a CMK. |
GetKeyRotationStatus | Retrieves the key rotation status for a CMK. |
GetPublicKey | Retrieves the public key of an asymmetric CMK. |
ListAliases | Lists aliases in the current account and region. |
ListKeys | Lists CMKs in the current account and region. |
ReEncrypt | Decrypts data using one CMK and re-encrypts it using another CMK. |
Reset | Resets the class to its initial state. |
ScheduleKeyDeletion | Schedules the deletion of a CMK. |
SendCustomRequest | Sends a custom request to the server. |
SetInputStream | Sets the stream whose data should be processed. |
SetKeyEnabled | Enables or disables a CMK. |
SetKeyRotationStatus | Enables or disables automatic key rotation for a CMK. |
SetOutputStream | Sets the stream to which output data should be written. |
Sign | Signs a message using a CMK. |
UpdateAlias | Updates an alias to refer to a different CMK. |
UpdateKeyDescription | Updates a CMK's description. |
Verify | Verifies a digital signature using a CMK. |
Event List
The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.
AliasList | Fires once for each alias when listing aliases. |
EndTransfer | Fired when a document finishes transferring. |
Error | Information about errors during data delivery. |
Header | Fired every time a header line comes in. |
KeyList | Fires once for each CMK when listing CMKs. |
Log | Fires once for each log message. |
SSLServerAuthentication | Fired after the server presents its certificate to the client. |
SSLStatus | Shows the progress of the secure connection. |
StartTransfer | Fired when a document starts transferring (after the headers). |
Transfer | Fired while a document transfers (delivers document). |
Configuration Settings
The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.
AccumulatePages | Whether the class should accumulate subsequent pages of results when listing them. |
AWSProfile | The name of the AWS CLI profile that the class should use to obtain authentication and region information. |
AWSProfileDir | The location of the AWS CLI credentials and config files. |
CloseInputStreamAfterProcessing | Whether the specified input stream should be closed after data is read from it. |
CloseOutputStreamAfterProcessing | Whether the specified output stream should be closed after data is written to it. |
CreateKeyPolicy | The key policy JSON to send when creating a new CMK. |
CustomKeyStoreId | The Id of the custom key store that the CMK should be created in. |
IMDSv2SessionTokenDuration | The maximum duration of the session token. |
IMDSVersion | The version of Instance Metadata Service to use when accessing role credentials. |
MaxAliases | The maximum number of results to return when listing aliases. |
MaxKeys | The maximum number of results to return when listing CMKs. |
MessageDigest | The message digest computed by the class during the last sign or verify operation, if any. |
NewEncryptionContext | The new encryption context to use when re-encrypting data. |
RawRequest | Returns the data that was sent to the server. |
RawResponse | Returns the data that was received from the server. |
SessionToken | The session token to send in the request when using temporary credentials. |
UseEC2RoleCredentials | Whether to authenticate requests with credentials obtained from the IAM role attached to the EC2 instance. |
UseFIPSEndpoint | Whether to use the FIPs endpoint to communicate with the server. |
XChildCount | The number of child elements of the current element. |
XChildName[i] | The name of the child element. |
XChildXText[i] | The inner text of the child element. |
XElement | The name of the current element. |
XParent | The parent of the current element. |
XPath | Provides a way to point to a specific element in the returned XML or JSON response. |
XSubTree | A snapshot of the current element in the document. |
XText | The text of the current element. |
AcceptEncoding | Used to tell the server which types of content encodings the client supports. |
AllowHTTPCompression | This property enables HTTP compression for receiving data. |
AllowHTTPFallback | Whether HTTP/2 connections are permitted to fallback to HTTP/1.1. |
AllowNTLMFallback | Whether to allow fallback from Negotiate to NTLM when authenticating. |
Append | Whether to append data to LocalFile. |
Authorization | The Authorization string to be sent to the server. |
BytesTransferred | Contains the number of bytes transferred in the response data. |
ChunkSize | Specifies the chunk size in bytes when using chunked encoding. |
CompressHTTPRequest | Set to true to compress the body of a PUT or POST request. |
EncodeURL | If set to true the URL will be encoded by the class. |
FollowRedirects | Determines what happens when the server issues a redirect. |
GetOn302Redirect | If set to true the class will perform a GET on the new location. |
HTTP2HeadersWithoutIndexing | HTTP2 headers that should not update the dynamic header table with incremental indexing. |
HTTPVersion | The version of HTTP used by the class. |
IfModifiedSince | A date determining the maximum age of the desired document. |
KeepAlive | Determines whether the HTTP connection is closed after completion of the request. |
KerberosSPN | The Service Principal Name for the Kerberos Domain Controller. |
LogLevel | The level of detail that is logged. |
MaxHeaders | Instructs class to save the amount of headers specified that are returned by the server after a Header event has been fired. |
MaxHTTPCookies | Instructs class to save the amount of cookies specified that are returned by the server when a SetCookie event is fired. |
MaxRedirectAttempts | Limits the number of redirects that are followed in a request. |
NegotiatedHTTPVersion | The negotiated HTTP version. |
OtherHeaders | Other headers as determined by the user (optional). |
ProxyAuthorization | The authorization string to be sent to the proxy server. |
ProxyAuthScheme | The authorization scheme to be used for the proxy. |
ProxyPassword | A password if authentication is to be used for the proxy. |
ProxyPort | Port for the proxy server (default 80). |
ProxyServer | Name or IP address of a proxy server (optional). |
ProxyUser | A user name if authentication is to be used for the proxy. |
SentHeaders | The full set of headers as sent by the client. |
StatusLine | The first line of the last response from the server. |
TransferredData | The contents of the last response from the server. |
TransferredDataLimit | The maximum number of incoming bytes to be stored by the class. |
TransferredHeaders | The full set of headers as received from the server. |
TransferredRequest | The full request as sent by the client. |
UseChunkedEncoding | Enables or Disables HTTP chunked encoding for transfers. |
UseIDNs | Whether to encode hostnames to internationalized domain names. |
UsePlatformDeflate | Whether to use the platform implementation to decompress compressed responses. |
UsePlatformHTTPClient | Whether or not to use the platform HTTP client. |
UserAgent | Information about the user agent (browser). |
CloseStreamAfterTransfer | If true, the class will close the upload or download stream after the transfer. |
ConnectionTimeout | Sets a separate timeout value for establishing a connection. |
FirewallAutoDetect | Tells the class whether or not to automatically detect and use firewall system settings, if available. |
FirewallHost | Name or IP address of firewall (optional). |
FirewallListener | If true, the class binds to a SOCKS firewall as a server (IPPort only). |
FirewallPassword | Password to be used if authentication is to be used when connecting through the firewall. |
FirewallPort | The TCP port for the FirewallHost;. |
FirewallType | Determines the type of firewall to connect through. |
FirewallUser | A user name if authentication is to be used connecting through a firewall. |
KeepAliveInterval | The retry interval, in milliseconds, to be used when a TCP keep-alive packet is sent and no response is received. |
KeepAliveTime | The inactivity time in milliseconds before a TCP keep-alive packet is sent. |
Linger | When set to True, connections are terminated gracefully. |
LingerTime | Time in seconds to have the connection linger. |
LocalHost | The name of the local host through which connections are initiated or accepted. |
LocalPort | The port in the local host where the class binds. |
MaxLineLength | The maximum amount of data to accumulate when no EOL is found. |
MaxTransferRate | The transfer rate limit in bytes per second. |
ProxyExceptionsList | A semicolon separated list of hosts and IPs to bypass when using a proxy. |
TCPKeepAlive | Determines whether or not the keep alive socket option is enabled. |
TcpNoDelay | Whether or not to delay when sending packets. |
UseIPv6 | Whether to use IPv6. |
UseNTLMv2 | Whether to use NTLM V2. |
LogSSLPackets | Controls whether SSL packets are logged when using the internal security API. |
ReuseSSLSession | Determines if the SSL session is reused. |
SSLCACerts | A newline separated list of CA certificate to use during SSL client authentication. |
SSLCheckCRL | Whether to check the Certificate Revocation List for the server certificate. |
SSLCipherStrength | The minimum cipher strength used for bulk encryption. |
SSLContextProtocol | The protocol used when getting an SSLContext instance. |
SSLEnabledCipherSuites | The cipher suite to be used in an SSL negotiation. |
SSLEnabledProtocols | Used to enable/disable the supported security protocols. |
SSLEnableRenegotiation | Whether the renegotiation_info SSL extension is supported. |
SSLIncludeCertChain | Whether the entire certificate chain is included in the SSLServerAuthentication event. |
SSLNegotiatedCipher | Returns the negotiated ciphersuite. |
SSLNegotiatedCipherStrength | Returns the negotiated ciphersuite strength. |
SSLNegotiatedCipherSuite | Returns the negotiated ciphersuite. |
SSLNegotiatedKeyExchange | Returns the negotiated key exchange algorithm. |
SSLNegotiatedKeyExchangeStrength | Returns the negotiated key exchange algorithm strength. |
SSLNegotiatedProtocol | Returns the negotiated protocol version. |
SSLProvider | The name of the security provider to use. |
SSLServerCACerts | A newline separated list of CA certificate to use during SSL server certificate validation. |
SSLTrustManagerFactoryAlgorithm | The algorithm to be used to create a TrustManager through TrustManagerFactory. |
TLS12SignatureAlgorithms | Defines the allowed TLS 1.2 signature algorithms when UseInternalSecurityAPI is True. |
TLS12SupportedGroups | The supported groups for ECC. |
TLS13KeyShareGroups | The groups for which to pregenerate key shares. |
TLS13SignatureAlgorithms | The allowed certificate signature algorithms. |
TLS13SupportedGroups | The supported groups for (EC)DHE key exchange. |
AbsoluteTimeout | Determines whether timeouts are inactivity timeouts or absolute timeouts. |
FirewallData | Used to send extra data to the firewall. |
InBufferSize | The size in bytes of the incoming queue of the socket. |
OutBufferSize | The size in bytes of the outgoing queue of the socket. |
BuildInfo | Information about the product's build. |
GUIAvailable | Tells the class whether or not a message loop is available for processing events. |
LicenseInfo | Information about the current license. |
UseDaemonThreads | Whether threads created by the class are daemon threads. |
UseInternalSecurityAPI | Tells the class whether or not to use the system security libraries or an internal implementation. |