We can also use a CMK in AWS KMS to encrypt and decrypt a secret directly, without the generation of a Data Key and hence, without the envelope encryption process. Remember, AWS KMS is able to encrypt and decrypt up to 4 kilobytes (4096 bytes) of data.
echo "New secret text" > NewSecretFile.txt
2. Execute the below command to encrypt file NewSecretFile.txt.
aws kms encrypt --key-id alias/ImportedCMK --plaintext fileb://NewSecretFile.txt --encryption-context project=kmsworkshop --output text --query CiphertextBlob | base64 --decode > NewSecretsEncryptedFile.txt
3. Execute the below command to check the encrypted file.
cat NewSecretsEncryptedFile.txt
4. Execute the below command to decrypt the file.
aws kms decrypt --ciphertext-blob fileb://NewSecretsEncryptedFile.txt --encryption-context project=kmsworkshop --output text --query Plaintext | base64 --decode > NewSecretsDecryptedFile.txt
5. Execute the below command to check the result. We can read this file
cat NewSecretsDecryptedFile.txt