sudo echo "Sample Secret Text to Encrypt" > samplesecret.txt
2. Assign the permission to the Instance to create the key
kms
into the search bar.GenerateDataKey
into the search barKMSWorkshop-AdditionalPermissions
KMSWorkshop-AdditionalPermissions
into the search bar, press Enteraws kms generate-data-key --key-id alias/ImportedCMK --key-spec AES_256 --encryption-context project=workshop
echo '<Plantext value of the JSON file in step 11>' | base64 --decode > datakeyPlainText.txt
echo '<CipherTextBlob value of the JSON file in step 11>' | base64 --decode > datakeyEncrypted.txt
13. Execute the below command to encrypt file samplesecret.txt in AES256 bits and saves the encrypted output to file “encryptedSecret.txt”.
openssl enc -e -aes256 -in samplesecret.txt -out encryptedSecret.txt -k fileb://datakeyPlainText.txt
14. Execute the below command to check the encrypted content
openssl enc -e -aes256 -in samplesecret.txt -out encryptedSecret.txt -k fileb://datakeyPlainText.txt
15. Execute the below command to delete the plaintext key.
rm datakeyPlainText.txt
Following security best practice, we must to delete the Data Key in Plain Text after ecrypting the data. Therefore, we need dencrypt the encrypted data key to dencrypt the encrypted text file.
aws kms decrypt --encryption-context project=workshop --ciphertext-blob fileb://datakeyEncrypted.txt
17. Execute the below command to decode the data key from base64 and use it to decrypt the encrypted secret file encryptedSecret.txt.
echo '<Plantext value of the JSON file in step 16>' | base64 --decode > datakeyPlainText.txt
18. Execute the below command to decrypt ecrypted file Text
openssl enc -d -aes256 -in encryptedSecret.txt -k fileb://datakeyPlainText.txt
19. Execute the below command to delete the plaintext key.
rm datakeyPlainText.txt