1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
|
.. Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0
International License (the "License"). You may not use this file except in compliance with the
License. A copy of the License is located at http://creativecommons.org/licenses/by-nc-sa/4.0/.
This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
either express or implied. See the License for the specific language governing permissions and
limitations under the License.
.. _aws-boto3-kms-examples-encrypt-decrypt-file:
**************************
Encrypt and decrypt a file
**************************
The example program uses AWS KMS keys to encrypt and decrypt a file.
A master key, also called a Customer Master Key or CMK, is created and used to generate a data key.
The data key is then used to encrypt a disk file. The encrypted data key is stored within
the encrypted file. To decrypt the file, the data key is decrypted and then used to decrypt
the rest of the file. This manner of using master and data keys is called envelope encryption.
To encrypt and decrypt data, the example uses the well-known Python ``cryptography`` package.
This package is not part of the Python standard library and must be installed separately, for
example, with the ``pip`` command.
::
pip install cryptography
Each section describes a single function from the example's `entire
source file <https://github.com/awsdocs/aws-doc-sdk-examples/tree/master/python/example_code/kms/encrypt_decrypt_file.py>`_.
Retrieve an existing master key
===============================
Master keys are created, managed, and stored within AWS KMS. A KMS master key is also referred to
as a customer master key or CMK. An AWS storage cost is incurred for each CMK, therefore, one CMK is
often used to manage multiple data keys.
The example ``retrieve_cmk`` function searches for an existing CMK. A key description is specified
when a CMK is created, and this description is used to identify and retrieve the desired key. If
many CMKs exist, they are processed in batches until either the desired key is found or all keys are
examined.
If the example function finds the desired CMK, it returns both the CMK's ID and its ARN (Amazon
Resource Name). Either of these identifiers can be used to reference the CMK in subsequent calls
to AWS KMS methods.
.. code-block:: python
def retrieve_cmk(desc):
"""Retrieve an existing KMS CMK based on its description
:param desc: Description of CMK specified when the CMK was created
:return Tuple(KeyId, KeyArn) where:
KeyId: CMK ID
KeyArn: Amazon Resource Name of CMK
:return Tuple(None, None) if a CMK with the specified description was
not found
"""
# Retrieve a list of existing CMKs
# If more than 100 keys exist, retrieve and process them in batches
kms_client = boto3.client('kms')
try:
response = kms_client.list_keys()
except ClientError as e:
logging.error(e)
return None, None
done = False
while not done:
for cmk in response['Keys']:
# Get info about the key, including its description
try:
key_info = kms_client.describe_key(KeyId=cmk['KeyArn'])
except ClientError as e:
logging.error(e)
return None, None
# Is this the key we're looking for?
if key_info['KeyMetadata']['Description'] == desc:
return cmk['KeyId'], cmk['KeyArn']
# Are there more keys to retrieve?
if not response['Truncated']:
# No, the CMK was not found
logging.debug('A CMK with the specified description was not found')
done = True
else:
# Yes, retrieve another batch
try:
response = kms_client.list_keys(Marker=response['NextMarker'])
except ClientError as e:
logging.error(e)
return None, None
# All existing CMKs were checked and the desired key was not found
return None, None
Create a customer master key
============================
If the example does not find an existing CMK, it creates a new one and returns its ID and ARN.
.. code-block:: python
def create_cmk(desc='Customer Master Key'):
"""Create a KMS Customer Master Key
The created CMK is a Customer-managed key stored in AWS KMS.
:param desc: key description
:return Tuple(KeyId, KeyArn) where:
KeyId: AWS globally-unique string ID
KeyArn: Amazon Resource Name of the CMK
:return Tuple(None, None) if error
"""
# Create CMK
kms_client = boto3.client('kms')
try:
response = kms_client.create_key(Description=desc)
except ClientError as e:
logging.error(e)
return None, None
# Return the key ID and ARN
return response['KeyMetadata']['KeyId'], response['KeyMetadata']['Arn']
Create a data key
=================
To encrypt a file, the example ``create_data_key`` function creates a data key. The data key is
customer managed and does not incur an AWS storage cost. The example creates a data key for
each file it encrypts, but it's possible to use a single data key to encrypt multiple files.
The example function returns the data key in both its plaintext and encrypted forms. The
plaintext form is used to encrypt the data. The encrypted form will be stored with the encrypted
file. The data key is associated with a CMK which is capable of decrypting the encrypted data key
when necessary.
.. code-block:: python
def create_data_key(cmk_id, key_spec='AES_256'):
"""Generate a data key to use when encrypting and decrypting data
:param cmk_id: KMS CMK ID or ARN under which to generate and encrypt the
data key.
:param key_spec: Length of the data encryption key. Supported values:
'AES_128': Generate a 128-bit symmetric key
'AES_256': Generate a 256-bit symmetric key
:return Tuple(EncryptedDataKey, PlaintextDataKey) where:
EncryptedDataKey: Encrypted CiphertextBlob data key as binary string
PlaintextDataKey: Plaintext base64-encoded data key as binary string
:return Tuple(None, None) if error
"""
# Create data key
kms_client = boto3.client('kms')
try:
response = kms_client.generate_data_key(KeyId=cmk_id, KeySpec=key_spec)
except ClientError as e:
logging.error(e)
return None, None
# Return the encrypted and plaintext data key
return response['CiphertextBlob'], base64.b64encode(response['Plaintext'])
Encrypt a file
==============
The ``encrypt_file`` function creates a data key and uses it to encrypt the contents of a disk file.
The encryption operation is performed by a ``Fernet`` object created by the Python ``cryptography``
package.
The encrypted form of the data key is saved within the encrypted file and will be used in the future
to decrypt the file. The encrypted file can be decrypted by any program with the credentials to
decrypt the encrypted data key.
.. code-block:: python
def encrypt_file(filename, cmk_id):
"""Encrypt a file using an AWS KMS CMK
A data key is generated and associated with the CMK.
The encrypted data key is saved with the encrypted file. This enables the
file to be decrypted at any time in the future and by any program that
has the credentials to decrypt the data key.
The encrypted file is saved to <filename>.encrypted
Limitation: The contents of filename must fit in memory.
:param filename: File to encrypt
:param cmk_id: AWS KMS CMK ID or ARN
:return: True if file was encrypted. Otherwise, False.
"""
# Read the entire file into memory
try:
with open(filename, 'rb') as file:
file_contents = file.read()
except IOError as e:
logging.error(e)
return False
# Generate a data key associated with the CMK
# The data key is used to encrypt the file. Each file can use its own
# data key or data keys can be shared among files.
# Specify either the CMK ID or ARN
data_key_encrypted, data_key_plaintext = create_data_key(cmk_id)
if data_key_encrypted is None:
return False
logging.info('Created new AWS KMS data key')
# Encrypt the file
f = Fernet(data_key_plaintext)
file_contents_encrypted = f.encrypt(file_contents)
# Write the encrypted data key and encrypted file contents together
try:
with open(filename + '.encrypted', 'wb') as file_encrypted:
file_encrypted.write(len(data_key_encrypted).to_bytes(NUM_BYTES_FOR_LEN,
byteorder='big'))
file_encrypted.write(data_key_encrypted)
file_encrypted.write(file_contents_encrypted)
except IOError as e:
logging.error(e)
return False
# For the highest security, the data_key_plaintext value should be wiped
# from memory. Unfortunately, this is not possible in Python. However,
# storing the value in a local variable makes it available for garbage
# collection.
return True
Decrypt a data key
==================
To decrypt an encrypted file, the encrypted data key used to perform the encryption must first
be decrypted. This operation is performed by the example ``decrypt_data_key`` function which returns
the plaintext form of the key.
.. code-block:: python
def decrypt_data_key(data_key_encrypted):
"""Decrypt an encrypted data key
:param data_key_encrypted: Encrypted ciphertext data key.
:return Plaintext base64-encoded binary data key as binary string
:return None if error
"""
# Decrypt the data key
kms_client = boto3.client('kms')
try:
response = kms_client.decrypt(CiphertextBlob=data_key_encrypted)
except ClientError as e:
logging.error(e)
return None
# Return plaintext base64-encoded binary data key
return base64.b64encode((response['Plaintext']))
Decrypt a file
==============
The example ``decrypt_file`` function first extracts the encrypted data key from the encrypted file. It
then decrypts the key to get its plaintext form and uses that to decrypt the file contents.
The decryption operation is performed by a ``Fernet`` object created by the Python ``cryptography``
package.
.. code-block:: python
def decrypt_file(filename):
"""Decrypt a file encrypted by encrypt_file()
The encrypted file is read from <filename>.encrypted
The decrypted file is written to <filename>.decrypted
:param filename: File to decrypt
:return: True if file was decrypted. Otherwise, False.
"""
# Read the encrypted file into memory
try:
with open(filename + '.encrypted', 'rb') as file:
file_contents = file.read()
except IOError as e:
logging.error(e)
return False
# The first NUM_BYTES_FOR_LEN bytes contain the integer length of the
# encrypted data key.
# Add NUM_BYTES_FOR_LEN to get index of end of encrypted data key/start
# of encrypted data.
data_key_encrypted_len = int.from_bytes(file_contents[:NUM_BYTES_FOR_LEN],
byteorder='big') \
+ NUM_BYTES_FOR_LEN
data_key_encrypted = file_contents[NUM_BYTES_FOR_LEN:data_key_encrypted_len]
# Decrypt the data key before using it
data_key_plaintext = decrypt_data_key(data_key_encrypted)
if data_key_plaintext is None:
return False
# Decrypt the rest of the file
f = Fernet(data_key_plaintext)
file_contents_decrypted = f.decrypt(file_contents[data_key_encrypted_len:])
# Write the decrypted file contents
try:
with open(filename + '.decrypted', 'wb') as file_decrypted:
file_decrypted.write(file_contents_decrypted)
except IOError as e:
logging.error(e)
return False
# The same security issue described at the end of encrypt_file() exists
# here, too, i.e., the wish to wipe the data_key_plaintext value from
# memory.
return True
|
