AWS Key Management Service
Developer Guide

How Amazon WorkMail Uses AWS KMS

This topic discusses how Amazon WorkMail uses AWS KMS to encrypt email messages.

Amazon WorkMail Overview

Amazon WorkMail is an email service in the cloud that provides a cost-effective way for your organization to receive and send email and use calendars. Amazon WorkMail supports existing desktop and mobile clients and integrates with your existing corporate directory. Users can leverage their existing credentials to sign on to their email by using Microsoft Outlook, a mobile device, or a browser.

Using the Amazon WorkMail console, you can create an Amazon WorkMail organization and optionally assign to it one or more email domains that you own. Then you can create new email users and email distribution groups. Users can then send and receive messages. The messages are encrypted and stored until ready to be viewed.

Amazon WorkMail Encryption

Each end user you create is associated with one mailbox. Amazon WorkMail creates an asymmetric key pair for each mailbox and sends the private key portion of the key pair to AWS KMS to be encrypted under a customer master key (CMK). The CMK can be a custom key that you choose for your organization or the default Amazon WorkMail service CMK. The encrypted private key and unencrypted public key is then saved for later use.

Encrypting the private key

Each message received is encrypted by using a symmetric key dynamically generated by Amazon WorkMail. The symmetric key is then encrypted by using the public key associated with the user's mailbox. The encrypted symmetric key and the encrypted message and attachments are then stored.

Encrypting the message and the symmetric key

In asymmetric cryptography, data that is encrypted by using the public key can be decrypted only by using the corresponding private key. As mentioned above, however, Amazon WorkMail encrypts the private key by using an AWS KMS CMK. To make the private key ready to use, it must therefore be decrypted by using the same CMK used to encrypt it. Thus, when a user is ready to retrieve email messages, Amazon WorkMail sends the private key to AWS KMS for decryption and uses the plaintext private key returned by AWS KMS to decrypt the symmetric key that was used to encrypt the email message. Amazon WorkMail then uses the symmetric key to decrypt the message before presenting it to the user.

Decrypting the symmetric key and the message

Amazon WorkMail Encryption Context

Each service that is integrated with AWS KMS specifies an encryption context when requesting data keys, encrypting, and decrypting. The encryption context is additional authenticated information that AWS KMS uses to check for data integrity. That is, when an encryption context is specified for an encryption operation, the service also specifies it for the decryption operation or decryption will not succeed. The encryption context is written to your CloudTrail logs to help you understand why a given AWS KMS key was used. Amazon WorkMail uses the organization ID for the encryption context. In the requestParameters field of a CloudTrail log file, the encryption context will look similar to this.

"encryptionContext": {
    "aws:workmail:arn":"arn:aws:workmail:region:account ID:organization/organization ID"

The organization ID is a unique identifier that Amazon WorkMail generates when an organization is created. A customer can have multiple organizations in an AWS account. The following example shows an organization ID in the us-east-1 region.


For more information about the encryption context, see Encryption Context.