3

I am trying to encrypt a large XML payload using AWS KMS Encryption SDK. I came across this link which states that there is a limit on bytes of data that can be encrypted

You can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data such as an RSA key, a database password, or other sensitive information.

Does KMS not support encryption of data that is more than 4 KB? Is there a workaround to handle data of size more than 4 KB?

Punter Vicky
  • 15,954
  • 56
  • 188
  • 315
  • I'm not familiar with the API but it sounds like it is basically for encrypting keys or key-like entities like passwords, etc. Just a few lines down it says "*Also, you don't need to use this operation to encrypt data in your application. You can use the plaintext and encrypted data keys that the GenerateDataKey operation returns*" – President James K. Polk Sep 12 '18 at 15:24
  • Thanks @JamesKPolk. I already have the keys created and have the key arns with me. Can't I use to encrypt a large xml payload? – Punter Vicky Sep 12 '18 at 15:36
  • You would use KMS to manage (get) your encryption key. Then you write your own encryption routines that use the key. AES encryption examples are everywhere. AWS also has the encryption SDK: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html – John Hanley Sep 12 '18 at 15:52
  • Thanks @JohnHanley if I use AWS encryption SDK will I be limited by the 4KB limit or will I be able to encrypt data of any size? – Punter Vicky Sep 12 '18 at 17:22
  • Any size. Note: encryption is very easy to get wrong (e.g. becomes easier to break). Spend some time understanding how to do encryption correctly OR use a published library to do it for you. – John Hanley Sep 12 '18 at 17:43
  • Thanks @JohnHanley. One last question - what is the size limit mentioned in the documentation relate to? – Punter Vicky Sep 12 '18 at 18:01
  • Which documentation? The AWS SDK has no file size limit. KMS API has a 4 KB limit. KMS encryption is to encrypt your keys and sometimes small data. It is not used to encrypt large amounts of data. You could encrypt large data 4 KB blocks at a time but this is very insecure. – John Hanley Sep 12 '18 at 18:10
  • 1
    Additional point. Think of KMS as your encryption key management service, not your data encryption service. Two very different applications. – John Hanley Sep 12 '18 at 18:12
  • Thanks @JohnHanley. This makes it clear. I am assuming master key needs to adhere to 4KB limit and it is stored in AWS KMS. AWS SDK uses this master key to generate data keys which will be used by encrypt method to encrypt message of any size. – Punter Vicky Sep 12 '18 at 18:21
  • You are correct. However, encryption keys are measured in bits. KMS and AWS in general use 256 bit AES-GCM encryption keys. Advanced Encryption Standard (AES) - Galois/Counter Mode (GCM). https://docs.aws.amazon.com/kms/latest/developerguide/crypto-intro.html – John Hanley Sep 12 '18 at 18:26

1 Answers1

14

You are using the CMK to encrypt/decrypt your data which is not what you should be using it for. The CMK is limited to encrypting up to 4k data because it is meant to create and encrypt/decrypt the data key. Once you’ve created this data key you then use it to encrypt your data without the use of AWS KMS. You could use OpenSSL with the data key and this process is not dependent on KMS. Keep in mind that you have to handle the data key very carefully and best practice is once you've used it to encrypt data, you must encrypt that data key using KMS then store that encrypted key (as metadata) along with the encrypted data. The process of decrypting the data will start with you using KMS to decrypt the data key then using OpenSSL for example to use the decrypted data key as the key to decrypt your data(XML Payload).

Thando Toto
  • 381
  • 4
  • 8
  • Any references or examples implementing this? This is what I was looking into for so long! – John Mar 01 '21 at 13:36
  • @John Check out the [AWS Encryption SDK](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html) It has implementations in several languages. If you need something else, like PHP for example (which was my case), you need to look for a 3rd party solution or implement your own. – darighteous1 Feb 01 '22 at 14:26
  • @John what about FIPS-compliance, though? The HSMs used by KMS are FIPS-140-2 certified, but I don't think there are any certifications for the crypto routines that use the data keys to encrypt the payload using the SDK (or any certified python implementation, really). – misberner Feb 28 '23 at 06:38