Menu
AWS Encryption SDK
Developer Guide

Getting Started with the AWS Encryption SDK

To use the AWS Encryption SDK, you need a master key provider. If you don't have one, we recommend using AWS Key Management Service (AWS KMS). Many of the code samples in the AWS Encryption SDK require an AWS KMS customer master key (CMK).

To interact with AWS KMS, you need to use the AWS SDK for your preferred programming language, such as the AWS SDK for Java or the AWS SDK for Python (Boto). The AWS Encryption SDK client library works with the AWS SDKs to support master keys stored in AWS KMS.

To prepare to use the AWS Encryption SDK with AWS KMS

  1. Create an AWS account. To learn how, see How do I create and activate a new Amazon Web Services account? in the AWS Knowledge Center.

  2. Create a customer master key (CMK) in AWS KMS. To learn how, see Creating Keys in the AWS Key Management Service Developer Guide.

    Tip

    To use the CMK programmatically, you will need the ID or Amazon Resource Name (ARN) of the CMK. For help finding the ID or ARN of a CMK, see Viewing Keys in the AWS Key Management Service Developer Guide.

  3. Create an IAM user with an access key. To learn how, see Creating IAM Users in the IAM User Guide. When you create the user, for Access type, choose Programmatic access. After you create the user, choose Download.csv to save the AWS access key that represents your user credentials. Store the file in a secure location.

    We recommend that you use AWS Identity and Access Management (IAM) access keys instead of AWS (root) account access keys. IAM lets you securely control access to AWS services and resources in your AWS account. For detailed best practice guidance, see Best Practices for Managing AWS Access Keys

    The Download.csv file contains an AWS access key ID and a secret access key that represents the AWS credentials of the user that you created. When you write code without using an AWS SDK, you use your access key to sign your requests to AWS. The signature assures AWS that the request came from you unchanged. However, when you use an AWS SDK, such as the AWS SDK for Java, the SDK signs all requests to AWS for you.

  4. Set your AWS credentials using the instructions for Java or Python and the AWS access key in the Download.csv file that you downloaded in Step 3.

    This procedure allows AWS SDKs to sign requests to AWS for you. Code samples in the AWS Encryption SDK that interact with AWS KMS assume that you have completed this step.

  5. Download and install the AWS Encryption SDK. To learn how, see the installation instructions for the programming language that you want to use.