Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

Encryption SDKs

  1. Home
  3. AWS Certified Security Specialty
  5. Encryption SDKs
  • It is client-side encryption library
  • Can encrypt and decrypt data as per standards
  • Provided free by AWS under Apache license.
  • Supports
    • C
    • Java
    • JavaScript
    • Python
  • Helps to select
    • encryption algorithm
    • mode for using encryption algorithm
    • generating encryption key
    • protecting encryption key
    • storing encryption key
  • SDK generates unique data key for data object it encrypts, by default.
  • Concept in SDK
    • Data Keys – encryption key used to encrypt data. Is a byte array
    • Master Key – also called wrapping key. Encrypts data keys
    • Cryptographic Materials Manager – assembles cryptographic materials used to encrypt and decrypt data.
    • Master Key Provider (Java and Python) –  returns master keys which identify master keys
    • Keyring (C and JavaScript) – generates, encrypts, and decrypts data keys
    • Algorithm Suite –  a collection of cryptographic algorithms. Default is AES-GCM with an HMAC. Available are AES-128/192/256, AES-GCM.
    • Encryption Context – set of name-value pairs from user for logging and tracking
    • Encrypted Message – portable formatted data structure having encrypted data, encrypted copies of data keys
  • SDK cannot decrypt data encrypted by
    • DynamoDB Encryption Client
    • Amazon S3 client-side encryption
  • SDK can use KMS customer master keys (CMKS) and data keys to protect your data

Symmetric Key Encryption

  • Same key to encrypt and decrypt
  • To encrypt data,
    • SDK submits an encryption key, or data key and plaintext data from user to encryption algorithm.
    • Then, encrypted message is returns  having,
      • encrypted data
      • encrypted copy of data key
      • encryption context
  • To decrypt encrypted message
    • SDK submits data key and encrypted message to decryption algorithm.
    • plaintext data is returned

Envelope Encryption

  • Steps
    • data key encrypt plaintext
    • data key is encrypted by master key
  • It protects Data Keys
  • Instead of re-encrypting same data multiple times, master keys encrypts data keys only
  • Multiple Algorithms can be applied
  • To encrypt
    • Application sends plaintext data to encryption methods.
    • encryption method requests cryptographic materials manager (CMM) for encryption materials.
    • CMM requests encryption materials from master key provider or keyring.
    • The response has data key and same data key encrypted under the master keys.
    • The encryption method uses data key to encrypt data, and discards data key.
    • If encryption context is present, encryption method binds it to encrypted data.
    • The encryption method returns encrypted message having
      • encrypted data
      • encrypted data key
      • metadata, with encryption context
  • To decrypt
    • application sends encrypted message to a decryption method.
    • decryption method asks CMM for cryptographic materials to decrypt
    • In Java and Python, Default CMM asks its master key provider for a master key.
    • In C and JavaScript, CMM asks keyring for decryption materials.
    • response has decryption materials, with plaintext data key.
    • decryption method uses plaintext data key to decrypt data, then discards plaintext data key.
    • decryption method returns the plaintext data.
Menu