AWS Encryption SDK
Developer Guide

What Is the AWS Encryption SDK?

The AWS Encryption SDK is an encryption library that helps make it easier for you to implement encryption best practices in your application. It enables you to focus on the core functionality of your application, rather than on how to best encrypt and decrypt your data.

The AWS Encryption SDK answers questions like the following for you:

  • Which encryption algorithm should I use?

  • How, or in which mode, should I use that algorithm?

  • How do I generate the encryption key?

  • How do I protect the encryption key, and where should I store it?

  • How can I make my encrypted data portable?

  • How do I ensure that the intended recipient can read my encrypted data?

  • How can I ensure my encrypted data is not modified between the time it is written and when it is read?

Without the AWS Encryption SDK, you might spend more effort on building an encryption solution than on the core functionality of your application. The AWS Encryption SDK answers these questions by providing the following things.

A Default Implementation that Adheres to Cryptography Best Practices

The AWS Encryption SDK generates a unique data encryption key (DEK) for each data object it encrypts. This follows the cryptography best practice of using unique DEKs for each encryption operation.

The SDK encrypts your data using a secure, authenticated, symmetric key algorithm. For more information, see Supported Algorithms.

A Data Format that Stores Encrypted DEKs with the Corresponding Encrypted Data

The AWS Encryption SDK uses a defined data format to store the encrypted DEKs and encrypted data together as one object. This means you don't need to keep track of or protect the DEKs that encrypt your data because the SDK does it for you.

A Framework for Protecting DEKs with Master Keys

The AWS Encryption SDK protects the DEKs that encrypt your data by encrypting them with one or more master keys. By providing a framework to encrypt DEKs with more than one master key, the SDK helps make your encrypted data portable. For example, you can encrypt data under multiple customer master keys (CMKs) in AWS Key Management Service (AWS KMS), each in a different AWS Region. Then you can copy the encrypted data to any of the regions and decrypt it without a dependency on the others. You can also encrypt data under a CMK in AWS KMS and a master key in an on-premises HSM, enabling you to later decrypt the data even if one master key is unavailable.

With the AWS Encryption SDK, you define a master key provider, which represents one or more master keys. Then you encrypt and decrypt your data using straightforward methods provided by the SDK. The SDK does the rest.

For more information about how this SDK works, see How the SDK Works.

To get started, see Getting Started.

The SDK is provided for free under the Apache license.