# Using the AWS Database Encryption SDK with AWS KMS **** | | | --- | | Our client-side encryption library was renamed to the AWS Database Encryption SDK. This developer guide still provides information on the [DynamoDB Encryption Client](legacy-dynamodb-encryption-client.md). | To use the AWS Database Encryption SDK, you need to configure a [keyring](keyrings.md) and specify one or more wrapping keys. If you don't have a key infrastructure, we recommend using [AWS Key Management Service (AWS KMS)](https://aws.amazon.com/kms/). The AWS Database Encryption SDK supports two types of AWS KMS keyrings. The traditional [AWS KMS keyring](use-kms-keyring.md) uses [AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) to generate, encrypt, and decrypt data keys. You can use either symmetric encryption (`SYMMETRIC_DEFAULT`) or asymmetric RSA KMS keys. Since the AWS Database Encryption SDK encrypts and signs every record with a unique data key, the AWS KMS keyring must call AWS KMS for every encrypt and decrypt operation. For applications that need to minimize the number of calls to AWS KMS, the AWS Database Encryption SDK also supports the [AWS KMS Hierarchical keyring](use-hierarchical-keyring.md). The Hierarchical keyring is a cryptographic materials caching solution that reduces the number of AWS KMS calls by using AWS KMS protected *branch keys* persisted in an Amazon DynamoDB table, and then locally caching branch key materials used in encrypt and decrypt operations. We recommend using the AWS KMS keyrings whenever possible. To interact with AWS KMS, the AWS Database Encryption SDK requires the AWS KMS module of the AWS SDK for Java. **To prepare to use the AWS Database Encryption SDK with AWS KMS** 1. Create an AWS account. To learn how, see [How do I create and activate a new Amazon Web Services account?](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/) in the AWS Knowledge Center. 1. Create a symmetric encryption AWS KMS key. For help, see [Creating Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the *AWS Key Management Service Developer Guide*. **Tip** To use the AWS KMS key programmatically, you will need the Amazon Resource Name (ARN) of the AWS KMS key. For help finding the ARN of an AWS KMS key, see [Finding the Key ID and ARN](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) in the *AWS Key Management Service Developer Guide*. 1. Generate an access key ID and security access key. You can use either the access key ID and secret access key for an IAM user or you can use the AWS Security Token Service to create a new session with temporary security credentials that include an access key ID, secret access key, and session token. As a security best practice, we recommend that you use temporary credentials instead of the long-term credentials associated with your IAM user or AWS (root) user accounts. To create an IAM user with an access key, see [Creating IAM Users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console) in the *IAM User Guide*. To generate temporary security credentials, see [Requesting temporary security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) in the *IAM User Guide*. 1. Set your AWS credentials using the instructions in the [AWS SDK for Java](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/setup-credentials.html) and the access key ID and secret access key that you generated in step 3. If you generated temporary credentials, you will also need to specify the session token. This procedure allows AWS SDKs to sign requests to AWS for you. Code samples in the AWS Database Encryption SDK that interact with AWS KMS assume that you have completed this step.