AmazonKMS Class

Properties   Methods   Events   Configuration Settings   Errors  

The AmazonKMS class provides an easy-to-use interface for Amazon's Key Management Service.

Syntax

cloudkeys.amazonkms()

Remarks

The AmazonKMS class makes it easy to work with the Amazon Key Management Service (KMS) in a secure manner using TLS. Amazon KMS allows you to create, manage, and use customer master keys (CMKs) for cryptographic operations. You can also work with aliases, and generate data keys and data key pairs.

To begin, register for an AWS account and obtain an AccessKey and SecretKey to use for authentication. Once one or more CMKs have been created, either via the AWS console (recommended) or this API, you'll be ready to start using the class to manage and use the CMKs.

Resource Terminology

As implied above, there are three kinds of resources associated with Amazon KMS. The primary resource type is the customer master key, or "CMK". CMKs can be symmetric or asymmetric, and can be used either for encryption and decryption, or signing and verification. CMKs themselves can never leave the Amazon cloud, they are used for server-side cryptographic operations only. This is a security feature, but it does mean that the amount of data that can be processed in a CMK-based cryptographic operation is relatively small.

To work around the small server-side cryptographic operation data limit, Amazon KMS also supports the generation of data keys (symmetric) and data key pairs (asymmetric), which can then be used outside of Amazon KMS in order to encrypt/decrypt and sign/verify larger amounts data. KMS itself only generates these keys, it does not track them or make use of them for cryptographic operations. However, it does encrypt the data key (or, for data key pairs, the private key) using a CMK when it is generated, which means that the key must be decrypted using a CMK each time it needs to be used. For more information, refer to Amazon's Envelope Encryption description, which details the many security benefits of this strategy.

The last resource is called an alias. Aliases provide friendly names for CMKs, which can otherwise only be identified by their Id or Amazon resource name (ARN). Since an alias is a standalone resource, it can be created and deleted without affecting the CMK it refers to. It can also be updated to refer to a different CMK at any time.

Note: CMKs and aliases are region-specific resources. That is, CMKs and aliases cannot be accessed or used outside of the region that they reside in.

Using the Class

CMKs can be created using the CreateKey method. A CMK's key spec (i.e., whether it is symmetric or asymmetric, and in the latter case, what kind of asymmetric) and usage (i.e., whether it is for encryption/decryption or signing/verification) must be set at the time of creation, and they cannot be changed later. A description of the CMK can also be provided when it is created, and can be changed at any time using the UpdateKeyDescription method.

When a CMK will no longer be used, it can be scheduled for deletion using the ScheduleKeyDeletion method. AWS requires that CMKs remain in a "pending deletion" state for at least seven days to help ensure that they are truly no longer needed. If at any time during the waiting period it is discovered that the CMK is still needed, the deletion can be canceled using the CancelKeyDeletion method (CMKs cannot be used while they are pending deletion).

// The CreateKey method returns the Amazon resource name of the newly-created CMK.
string keyArn = kms.CreateKey("SYMMETRIC_DEFAULT", false, "Test key");

// ... Some time later ...

// Schedules the CMK for deletion in 15 days.
kms.ScheduleKeyDeletion(keyArn, 15);

Aliases can be created and deleted using the CreateAlias and DeleteAlias methods. Also, while aliases can be updated to refer to a different CMK at any time during their lifetime. Note that all alias names must begin with the prefix alias/ (but cannot begin with alias/aws/, which is a reserved prefix).

kms.CreateAlias("alias/MyTestKey", keyArn);
kms.UpdateAlias("alias/MyTestKey", otherKeyArn);
kms.DeleteAlias("alias/MyTestKey"); // Only deletes the alias; the CMK it refers to is unaffected.

To list CMKs or aliases, use the ListKeys and ListAliases methods. For the former, the IncludeKeyDetails property can optionally be enabled to have the class attempt to retrieve the full information for each CMK (Amazon only returns the CMK's ARN and Id while listing).

// If there are many CMKs to list, there may be multiple pages of results. This will
// cause all pages of results to be accumulated into the Keys collection property.
do {
  kms.ListKeys();
} while (!string.IsNullOrEmpty(kms.KeyMarker));

foreach (AWSKey key in kms.Keys) {
  Console.WriteLine(key.ARN);
}

Depending on a CMK's usage, it can be used to perform different cryptographic operations. CMKs with encryption/decryption usage can be used in Encrypt, Decrypt, and ReEncrypt operations. CMKs with sign/verify usage can be used in Sign and Verify operations. To perform a cryptographic operation, use InputData or InputFile to supply the input data that should be processed. All operations will output the result data to OutputData or OutputFile (except Verify; refer to its documentation for more information).

// Create an asymmetric CMK with encrypt/decrypt usage.
string keyArn = kms.CreateKey("RSA_4096", false, "Encryption Key #237");

// Encrypt the string "Test123" and write the encrypted data to an output file.
kms.InputData = "Test123";
kms.OutputFile = "C:/temp/enc.dat";
kms.Encrypt(keyArn, "RSAES_OAEP_SHA_256");

// ...Later, decrypt the data again.
kms.InputFile = "C:/temp/enc.dat";
kms.OutputFile = ""; // So that the data will be output to the OutputData property.
kms.Decrypt(keyArn, "RSAES_OAEP_SHA_256");

It's important to note that the amount of data that can be processed in server-side cryptographic operations is very small. For signing operations, it is limited to 4096 bytes; for encryption operations, the limit varies based on the selected CMK's key spec and the selected encryption algorithm (see the Encrypt method's documentation for more information).

To work around this issue, Amazon KMS supports the generation of data keys and data key pairs (described above) which can be used locally to encrypt/decrypt or sign/verify large amounts of data. To generate a data key or a data key pair, call the GenerateDataKey and GenerateDataKeyPair methods.

// Generates a data key, including a plaintext copy.
// The encrypted copy is encrypted by the specified CMK.
kms.GenerateDataKey("AES_256", keyArn, true);

// The resulting information is stored in the following properties:
// kms.KeyData.ARN: The ARN of the CMK used to encrypt the data key.
// kms.KeyData.EncryptedKey: The encrypted copy of the data key.
// kms.KeyData.KeySpec: The spec of the generated data key.
// kms.KeyData.PlaintextKey: The plaintext copy of the data key (if it was requested).

// Generates a data key pair, including plaintext copy.
// The encrypted copy of the private key is encrypted by the specified CMK.
kms.GenerateDataKeyPair("ECC_NIST_P384", keyArn, true);

// The resulting information is stored in the following properties:
// kms.KeyData.ARN: The ARN of the CMK used to encrypt the data key pair's private key.
// kms.KeyData.EncryptedKey: The encrypted copy of the private key.
// kms.KeyData.KeySpec: The spec of the generated data key pair.
// kms.KeyData.PlaintextKey: The plaintext copy of the private key (if it was requested).
// kms.KeyData.PublicKey: The data key pair's public key.

The class also supports a variety of other functionality, including:

• Retrieval of an asymmetric CMK's public key with GetPublicKey.
• Enabling and disabling CMKs with SetKeyEnabled.
• Automatic rotation of CMKs with GetKeyRotationStatus and SetKeyRotationStatus.
• Encryption contexts for Encrypt, Decrypt, and ReEncrypt.
• And more!