What is the AWS Database Encryption SDK?
| Our client-side encryption library was renamed to the AWS Database Encryption SDK. This developer guide still provides information on the DynamoDB Encryption Client. |
The AWS Database Encryption SDK is a set of software libraries that enable you to include client-side encryption in your database design. The AWS Database Encryption SDK provides record-level encryption solutions. You specify which fields are encrypted and which fields are included in the signatures that ensure the authenticity of your data. Encrypting your sensitive data in transit and at rest helps ensure that your plaintext data isn’t available to any third party, including AWS. The AWS Database Encryption SDK is provided free of charge under the Apache 2.0 license.
This developer guide provides a conceptual overview of the AWS Database Encryption SDK, including an introduction to its architecture, details about how it protects your data, how it differs from server-side encryption, and guidance on selecting critical components for your application to help you get started.
The AWS Database Encryption SDK supports Amazon DynamoDB with attribute-level encryption. Version 3.x of the Java client-side encryption library for DynamoDB is a major rewrite of the DynamoDB Encryption Client for Java. It includes many updates, such as a new structured data format, improved multitenancy support, searchable encryption, and support for seamless schema changes.
The AWS Database Encryption SDK has the following benefits:
- Designed especially for database applications
-
You don’t need to be a cryptography expert to use the AWS Database Encryption SDK. The implementations include helper methods that are designed to work with your existing applications.
After you create and configure the required components, the encryption client transparently encrypts and signs your records when you add them to a database, and verifies and decrypts them when you retrieve them.
- Includes secure encryption and signing
-
The AWS Database Encryption SDK includes secure implementations that encrypt the field values in each record using a unique data encryption key, and then sign the record to protect it against unauthorized changes, such as adding or deleting fields, or swapping encrypted values.
- Uses cryptographic materials from any source
-
The AWS Database Encryption SDK uses keyrings to generate, encrypt, and decrypt the unique data encryption key that protects your record. Keyrings determine the wrapping keys that encrypt that data key.
You can use wrapping keys from any source, including cryptography services, such as AWS Key Management Service (AWS KMS) or AWS CloudHSM. The AWS Database Encryption SDK doesn't require an AWS account or any AWS service.
- Support for cryptographic materials caching
-
The AWS KMS Hierarchical keyring is a cryptographic materials caching solution that reduces the number of AWS KMS calls by using AWS KMS protected branch keys persisted in an Amazon DynamoDB table, and then locally caching branch key materials used in encrypt and decrypt operations. It allows you to protect your cryptographic materials under a symmetric encryption KMS key without calling AWS KMS every time you encrypt or decrypt a record. The AWS KMS Hierarchical keyring is a good choice for applications that need to minimize calls to AWS KMS.
- Searchable encryption
-
You can design databases that can search encrypted records without decrypting the entire database. Depending on your threat model and query requirements, you can use searchable encryption to perform exact match searches or more customized complex queries on your encrypted database.
- Support for multitenant database schemas
-
The AWS Database Encryption SDK enables you to protect data stored in databases with a shared schema by isolating each tenant with distinct encryption materials. If you have multiple users performing encrypt operations within your database, use one of the AWS KMS keyrings to provide each user with a distinct key to use in their cryptographic operations. For more information, see Working with multitenant databases.
- Support for seamless schema updates
-
When you configure the AWS Database Encryption SDK, you provide cryptographic actions that tell the client which fields to encrypt and sign, which fields to sign (but not encrypt), and which to ignore. After you have used the AWS Database Encryption SDK to protect your records, you can still make changes to your data model. You can update your cryptographic actions, such as adding or removing encrypted fields, in a single deployment.
Developed in open-source repositories
The AWS Database Encryption SDK is developed in open-source repositories on GitHub. You can use these repositories to view the code, read and submit issues, and find information that is specific to your implementation.
The AWS Database Encryption SDK for DynamoDB
-
The aws-database-encryption-sdk-dynamodb
repository on GitHub supports version 3.x and later of the AWS Database Encryption SDK for DynamoDB in Java and .NET. Version 3.x of the AWS Database Encryption SDK for DynamoDB is a product of Dafny
, a verification-aware language in which you write specifications, the code to implement them, and the proofs to test them. The result is a library that implements the features of the AWS Database Encryption SDK for DynamoDB in a framework that assures functional correctness.
Support and maintenance
The AWS Database Encryption SDK uses the same maintenance policy that the AWS SDK and Tools use, including its versioning and lifecycle phases. As a best practice, we recommend that you use the latest available version of the AWS Database Encryption SDK for your database implementation, and upgrade as new versions are released.
For more information, see the AWS SDKs and Tools maintenance policy in the AWS SDKs and Tools Reference Guide.
Sending feedback
We welcome your feedback! If you have a question or comment, or an issue to report, please use the following resources.
If you discover a potential security vulnerability in the AWS Database Encryption SDK, please notify AWS security
To provide feedback on this documentation, use the feedback link on any page.
