|
| 1 | +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. |
| 2 | +# SPDX-License-Identifier: Apache-2.0 |
| 3 | +""" |
| 4 | +This example sets up the AWS KMS MRK Multi Keyring |
| 5 | +
|
| 6 | +The AWS Key Management Service (AWS KMS) MRK keyring interacts with AWS KMS to |
| 7 | +create, encrypt, and decrypt data keys with AWS KMS MRK keys. |
| 8 | +The KMS MRK multi-keyring consists of one or more individual keyrings of the |
| 9 | +same or different type. The keys can either be regular KMS keys or MRKs. |
| 10 | +The effect is like using several keyrings in a series. |
| 11 | +
|
| 12 | +This example creates a AwsKmsMrkMultiKeyring using an mrk_key_id (generator) and a kms_key_id |
| 13 | +as a child key, and then encrypts a custom input EXAMPLE_DATA with an encryption context. |
| 14 | +Either KMS Key individually is capable of decrypting data encrypted under this keyring. |
| 15 | +This example also includes some sanity checks for demonstration: |
| 16 | +1. Ciphertext and plaintext data are not the same |
| 17 | +2. Encryption context is correct in the decrypted message header |
| 18 | +3. Decrypted plaintext value matches EXAMPLE_DATA |
| 19 | +4. Ciphertext can be decrypted using an AwsKmsMrkKeyring containing a replica of the |
| 20 | + MRK (from the multi-keyring used for encryption) copied from the first region into |
| 21 | + the second region |
| 22 | +These sanity checks are for demonstration in the example only. You do not need these in your code. |
| 23 | +
|
| 24 | +For more information on how to use KMS keyrings, see |
| 25 | +https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/use-kms-keyring.html |
| 26 | +
|
| 27 | +For more info on KMS MRK (multi-region keys), see the KMS documentation: |
| 28 | +https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html |
| 29 | +""" |
| 30 | +import sys |
| 31 | + |
| 32 | +import boto3 |
| 33 | +from aws_cryptographic_materialproviders.mpl import AwsCryptographicMaterialProviders |
| 34 | +from aws_cryptographic_materialproviders.mpl.config import MaterialProvidersConfig |
| 35 | +from aws_cryptographic_materialproviders.mpl.models import CreateAwsKmsMrkKeyringInput, CreateAwsKmsMrkMultiKeyringInput |
| 36 | +from aws_cryptographic_materialproviders.mpl.references import IKeyring |
| 37 | +from typing import Dict |
| 38 | + |
| 39 | +import aws_encryption_sdk |
| 40 | +from aws_encryption_sdk import CommitmentPolicy |
| 41 | + |
| 42 | +# TODO-MPL: Remove this as part of removing PYTHONPATH hacks. |
| 43 | +MODULE_ROOT_DIR = '/'.join(__file__.split("/")[:-1]) |
| 44 | + |
| 45 | +sys.path.append(MODULE_ROOT_DIR) |
| 46 | + |
| 47 | +EXAMPLE_DATA: bytes = b"Hello World" |
| 48 | + |
| 49 | + |
| 50 | +def encrypt_and_decrypt_with_keyring( |
| 51 | + mrk_key_id: str, |
| 52 | + kms_key_id: str, |
| 53 | + mrk_replica_key_id: str, |
| 54 | + mrk_replica_decrypt_region: str |
| 55 | +): |
| 56 | + """Demonstrate an encrypt/decrypt cycle using a Multi-Keyring made |
| 57 | + up of multiple AWS KMS MRK Keyrings |
| 58 | +
|
| 59 | + Usage: encrypt_and_decrypt_with_keyring(mrk_key_id, |
| 60 | + kms_key_id, |
| 61 | + mrk_replica_key_id, |
| 62 | + mrk_replica_decrypt_region) |
| 63 | + :param mrk_key_id: KMS Key identifier for an AWS KMS multi-region key (MRK) located in your |
| 64 | + default region |
| 65 | + :type mrk_key_id: string |
| 66 | + :param kms_key_id: KMS Key identifier for a KMS key, possibly located in a different region |
| 67 | + than the MRK |
| 68 | + :type kms_key_id: string |
| 69 | + :param mrk_replica_key_id: KMS Key identifier for an MRK that is a replica of the |
| 70 | + `mrk_key_id` in a second region. |
| 71 | + :type mrk_replica_key_id: string |
| 72 | + :param mrk_replica_decrypt_region: The second region where the MRK replica is located |
| 73 | + :type mrk_replica_decrypt_region: string |
| 74 | +
|
| 75 | + For more information on KMS Key identifiers for multi-region keys, see |
| 76 | + https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id |
| 77 | + """ |
| 78 | + # 1. Instantiate the encryption SDK client. |
| 79 | + # This builds the client with the REQUIRE_ENCRYPT_REQUIRE_DECRYPT commitment policy, |
| 80 | + # which enforces that this client only encrypts using committing algorithm suites and enforces |
| 81 | + # that this client will only decrypt encrypted messages that were created with a committing |
| 82 | + # algorithm suite. |
| 83 | + # This is the default commitment policy if you were to build the client as |
| 84 | + # `client = aws_encryption_sdk.EncryptionSDKClient()`. |
| 85 | + client = aws_encryption_sdk.EncryptionSDKClient( |
| 86 | + commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT |
| 87 | + ) |
| 88 | + |
| 89 | + # 2. Create encryption context. |
| 90 | + # Remember that your encryption context is NOT SECRET. |
| 91 | + # For more information, see |
| 92 | + # https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context |
| 93 | + encryption_context: Dict[str, str] = { |
| 94 | + "encryption": "context", |
| 95 | + "is not": "secret", |
| 96 | + "but adds": "useful metadata", |
| 97 | + "that can help you": "be confident that", |
| 98 | + "the data you are handling": "is what you think it is", |
| 99 | + } |
| 100 | + |
| 101 | + # 3. Create an AwsKmsMrkMultiKeyring that protects your data under two different KMS Keys. |
| 102 | + # The Keys can either be regular KMS keys or MRKs. |
| 103 | + # Either KMS Key individually is capable of decrypting data encrypted under this keyring. |
| 104 | + mat_prov: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( |
| 105 | + config=MaterialProvidersConfig() |
| 106 | + ) |
| 107 | + |
| 108 | + kms_mrk_multi_keyring_input: CreateAwsKmsMrkMultiKeyringInput =\ |
| 109 | + CreateAwsKmsMrkMultiKeyringInput( |
| 110 | + generator=mrk_key_id, |
| 111 | + kms_key_ids=[kms_key_id] |
| 112 | + ) |
| 113 | + |
| 114 | + kms_mrk_multi_keyring: IKeyring = mat_prov.create_aws_kms_mrk_multi_keyring( |
| 115 | + input=kms_mrk_multi_keyring_input |
| 116 | + ) |
| 117 | + |
| 118 | + # 4. Encrypt the data with the encryptionContext using the kms_mrk_multi_keyring. |
| 119 | + ciphertext, _ = client.encrypt( |
| 120 | + source=EXAMPLE_DATA, |
| 121 | + keyring=kms_mrk_multi_keyring, |
| 122 | + encryption_context=encryption_context |
| 123 | + ) |
| 124 | + |
| 125 | + # 5. Demonstrate that the ciphertext and plaintext are different. |
| 126 | + # (This is an example for demonstration; you do not need to do this in your own code.) |
| 127 | + assert ciphertext != EXAMPLE_DATA, \ |
| 128 | + "Ciphertext and plaintext data are the same. Invalid encryption" |
| 129 | + |
| 130 | + # 6. Decrypt your encrypted data using the same AwsKmsMrkMultiKeyring you used on encrypt. |
| 131 | + # It will decrypt the data using the generator key (in this case, the MRK), since that is |
| 132 | + # the first available KMS key on the keyring that is capable of decrypting the data. |
| 133 | + plaintext_bytes, dec_header = client.decrypt( |
| 134 | + source=ciphertext, |
| 135 | + keyring=kms_mrk_multi_keyring |
| 136 | + ) |
| 137 | + |
| 138 | + # 7. Demonstrate that the encryption context is correct in the decrypted message header |
| 139 | + # (This is an example for demonstration; you do not need to do this in your own code.) |
| 140 | + for k, v in encryption_context.items(): |
| 141 | + assert v == dec_header.encryption_context[k], \ |
| 142 | + "Encryption context does not match expected values" |
| 143 | + |
| 144 | + # 8. Demonstrate that the decrypted plaintext is identical to the original plaintext. |
| 145 | + # (This is an example for demonstration; you do not need to do this in your own code.) |
| 146 | + assert plaintext_bytes == EXAMPLE_DATA |
| 147 | + |
| 148 | + # Demonstrate that a single AwsKmsMrkKeyring configured with a replica of the MRK from the |
| 149 | + # multi-keyring used to encrypt the data is also capable of decrypting the data. |
| 150 | + # (This is an example for demonstration; you do not need to do this in your own code.) |
| 151 | + |
| 152 | + # 9. Create a single AwsKmsMrkKeyring with the replica KMS MRK from the second region. |
| 153 | + |
| 154 | + # Create a boto3 client for KMS in the second region which is the region for mrk_replica_key_id. |
| 155 | + second_region_kms_client = boto3.client('kms', region_name=mrk_replica_decrypt_region) |
| 156 | + |
| 157 | + second_region_mrk_keyring_input: CreateAwsKmsMrkKeyringInput = CreateAwsKmsMrkKeyringInput( |
| 158 | + kms_key_id=mrk_replica_key_id, |
| 159 | + kms_client=second_region_kms_client |
| 160 | + ) |
| 161 | + |
| 162 | + second_region_mrk_keyring: IKeyring = mat_prov.create_aws_kms_mrk_keyring( |
| 163 | + input=second_region_mrk_keyring_input |
| 164 | + ) |
| 165 | + |
| 166 | + # 10. Decrypt your encrypted data using the second region AwsKmsMrkKeyring |
| 167 | + plaintext_bytes_second_region, dec_header_second_region = client.decrypt( |
| 168 | + source=ciphertext, |
| 169 | + keyring=second_region_mrk_keyring |
| 170 | + ) |
| 171 | + |
| 172 | + # 11. Demonstrate that the encryption context is correct in the decrypted message header |
| 173 | + # (This is an example for demonstration; you do not need to do this in your own code.) |
| 174 | + for k, v in encryption_context.items(): |
| 175 | + assert v == dec_header_second_region.encryption_context[k], \ |
| 176 | + "Encryption context does not match expected values" |
| 177 | + |
| 178 | + # 12. Demonstrate that the decrypted plaintext is identical to the original plaintext. |
| 179 | + # (This is an example for demonstration; you do not need to do this in your own code.) |
| 180 | + assert plaintext_bytes_second_region == EXAMPLE_DATA |
| 181 | + |
| 182 | + # Not shown in this example: A KMS Keyring created with `kms_key_id` could also |
| 183 | + # decrypt this message. |
0 commit comments