AWS Key Management Service > Encryption with KMS > Direct Encryption with AWS KMS

Direct Encryption with AWS KMS

We can also use a CMK in AWS KMS to encrypt and decrypt a secret directly, without the generation of a Data Key and hence, without the envelope encryption process. Remember, AWS KMS is able to encrypt and decrypt up to 4 kilobytes (4096 bytes) of data.

Execute the below command to create file NewSecretFile.txt.

echo "New secret text" > NewSecretFile.txt

Encryption using AWS KMS with no Data Key 2. Execute the below command to encrypt file NewSecretFile.txt.

aws kms encrypt --key-id alias/ImportedCMK --plaintext fileb://NewSecretFile.txt --encryption-context project=kmsworkshop --output text  --query CiphertextBlob | base64 --decode > NewSecretsEncryptedFile.txt

Encryption using AWS KMS with no Data Key 3. Execute the below command to check the encrypted file.

cat NewSecretsEncryptedFile.txt

Encryption using AWS KMS with no Data Key 4. Execute the below command to decrypt the file.

aws kms decrypt --ciphertext-blob fileb://NewSecretsEncryptedFile.txt --encryption-context project=kmsworkshop --output text --query Plaintext | base64 --decode > NewSecretsDecryptedFile.txt

Encryption using AWS KMS with no Data Key 5. Execute the below command to check the result. We can read this file

cat NewSecretsDecryptedFile.txt

Encryption using AWS KMS with no Data Key