AWS Key Management Service
Developer Guide

Reference: AWS KMS and Cryptography Terminology

This section provides a brief glossary of terms for working with encryption in AWS KMS.

  • Additional authenticated data (AAD)

    Offers both data-integrity and authenticity by using additional authenticated data during the encryption process. The AAD is authenticated but not encrypted. Using AAD with authenticated encryption enables the decryption process to detect any changes that may have been made to either the ciphertext or the additional authenticated data after encryption.

  • Authentication

    The process of determining whether an entity is who it claims to be, or that information has not been manipulated by unauthorized entities.

  • Authorization

    Specifies an entity's legitimate access to a resource.

  • Block cipher modes

    Encrypts plaintext to ciphertext where the plaintext and cipher text are of arbitrary length. Modes are typically used to encrypt something that is longer than one block.

  • Block ciphers

    An algorithm that operates on blocks of data, one block at a time.

  • Data key

    A symmetric key generated by AWS KMS for your service. Inside of your service or custom application, the data key is used to encrypt or decrypt data. It can be considered a resource by a service or application, or it can simply be metadata associated with the encrypted data.

  • Decryption

    The process of turning ciphertext back into the form it had before encryption. A decrypted message is called plaintext.

  • Encryption

    The process of providing data confidentiality to a plaintext message. An encrypted message is called ciphertext.

  • Encryption context

    AWS KMS specific AAD in the form of a "key":"value" pair. Although not encrypted, it is bound to the ciphertext during encryption and must be passed again during decryption. If the encryption context passed for encryption is not the same as the encryption context passed for decryption or the ciphertext has been changed, the decryption process will fail.

  • Master key

    A key created by AWS KMS that can only be used within the AWS KMS service. The master key is commonly used to encrypt data keys so that the encrypted key can be securely stored by your service. However, AWS KMS master keys can also be used to encrypt or decrypt arbitrary chunks of data that are no greater than 4 KiB. Master keys are categorized as either customer managed keys or AWS managed keys. Customer managed keys are created by a customer for use by a service or application. AWS managed keys are the default keys used by AWS services that support encryption.

  • Symmetric key cryptography

    Uses a single secret key to encrypt and decrypt a message.