AWS KMS is a managed service for cryptographic functions in AWS. This service allows you to offload the tough job of key lifecycle management to Amazon.

These snippets will allow you to perform basic cryptographic functions - encypt, decrypt, and rewrap. It is assumed you already have a KMS key provisioned, and you have a IAM user with permissions to perform the relevant operations.

Encrypt the Contents of a File

This command encrypts the contents of contents.txt and saves the encrypted version in contents.asc.

#KUEaMNNwTSECsh_NR---iKCYkkpoqsERPmeluuYYTsyatee=PE-iprxaTDeinuyalE_ndttmiDFceCpa_Ir$xtilsFLy{tepe/IEpKxhmL=tMfteuyEcSirs-=o\_l\tekcnKeesmotEbxsneY:ta-tn}/Bket/lkens\$oeyt.{bysaU.sN>atcElxN$itC{aREsYN,PCTRbEYuDPt_TFEtIDhL_iEFs}ILc\Ea}nalsobetheARN.

Decrypt the Contents of an Encrypted File

This command decrypts the contents of contents.asc and displays them in the terminal.

#EaNwTCshR--iYkcoqsPmiuuTspteeEhprxDdeuya_ertmFctPpIretllLyxeaeEptxi=t-tnucbtsol\eenxstbteanf|tikslbe.eayabss:eac/6l/4i<a(sc-,adtebcu$ot{dEetNhCiRsYPcTaEnD_aFlIsLoE}be|tbhaeseA6R4N.-decode)

Re-Wrap Encrypted File with New Key

This command is useful if you rotate a key, or want to migrate to a new key.

It submits the encrypted data to KMS where it is decrypted with the old key, and then encrypted again with the new key.

This is a useful function as the client never receives decrypted contents.

NamEwvWs_---$Kkcdoq{MmieuuESspsteN_htprCKreiuyREerntYY-taCP=eettiTanxiepElctoxhDir-nte_ayb-rFsplk\tI/toeeLmbyxEy\-t}-fiB.nidltelomwe$bp-b{k:N>$m/E{s/W$E-<_{Nk(KECecMNRyaSCYt_RPKYT$EPE{YTDE}E_NDFC\_IRFLYIEPL}TEE}D._tFmIpLE}|base64-decode)