Using the AWS Encryption SDK with AWS KMS - AWS Encryption SDK

Using the AWS Encryption SDK with AWS KMS

To use the AWS Encryption SDK, you need to configure keyrings or master key providers with wrapping keys. If you don't have a key infrastructure, we recommend using AWS Key Management Service (AWS KMS). Many of the code examples in the AWS Encryption SDK require an AWS KMS key.

To interact with AWS KMS, the AWS Encryption SDK requires the AWS SDK for your preferred programming language. The AWS Encryption SDK client library works with the AWS SDKs to support master keys stored in AWS KMS.

To prepare to use the AWS Encryption SDK with AWS KMS

  1. Create an AWS account. To learn how, see How do I create and activate a new Amazon Web Services account? in the AWS Knowledge Center.

  2. Create a symmetric encryption AWS KMS key. For help, see Creating Keys in the AWS Key Management Service Developer Guide.

    Tip

    To use the AWS KMS key programmatically, you will need the key ID or Amazon Resource Name (ARN) of the AWS KMS key. For help finding the ID or ARN of an AWS KMS key, see Finding the Key ID and ARN in the AWS Key Management Service Developer Guide.

  3. Generate an access key ID and security access key. You can use either the access key ID and secret access key for an IAM user or you can use the AWS Security Token Service to create a new session with temporary security credentials that include an access key ID, secret access key, and session token. As a security best practice, we recommend that you use temporary credentials instead of the long-term credentials associated with your IAM user or AWS (root) user accounts.

    To create an IAM user with an access key, see Creating IAM Users in the IAM User Guide.

    To generate temporary security credentials, see Requesting temporary security credentials in the IAM User Guide.

  4. Set your AWS credentials using the instructions in the AWS SDK for Java, AWS SDK for JavaScript, AWS SDK for Python (Boto) or AWS SDK for C++ (for C), and the access key ID and secret access key that you generated in step 3. If you generated temporary credentials, you will also need to specify the session token.

    This procedure allows AWS SDKs to sign requests to AWS for you. Code samples in the AWS Encryption SDK that interact with AWS KMS assume that you have completed this step.

  5. Download and install the AWS Encryption SDK. To learn how, see the installation instructions for the programming language that you want to use.