Different CiphertextBlob for user who was Granted CMK usage

Malcolm

Answered 2 years ago

That page states the following: "To use or manage your CMK, you access them through AWS KMS. This strategy differs from data keys. AWS KMS does not store, manage, or track your data keys. You must use them outside of AWS KMS." I understand that S3 (for example) would need to have a mechanism for handling the data keys. In this example, we are invoking KMS directly, via the command line. In this case, where would such a data key be kept, if KMS does not manage it? According to "KMS Best Practices" page 8, KMS can directly encrypt data blocks up to 4KB in size. I thought that’s what the CLI was doing, but the differing cyphertext values tell me that is not the case. So I am wondering where the data keys are, if KMS does not store them. Or am I mis-reading the docs?

Maks Khomutskyi

Answered 2 years ago

Envelope encryption. When you encrypt a data key, you don’t have to worry about storing the encrypted data key, because the data key is inherently protected by encryption. You can safely store the encrypted data key alongside the encrypted data.

Amol Dabholkar

Answered 2 years ago

It seems from the CLI commands that they are directly using the CMK to do the encryption. If they needed to do a Data-key based encryption they would need to –generate-data-key ( https://docs.aws.amazon.com/cli/latest/reference/kms/generate-data-key.html). That would give them back a clear new data key which could be used for local encryption on the client. I am guessing the encryption output is different is because a random padding and IV (initialization vector) is used for the plaintext for every encryption, and that creates a different ciphertext string. However when you decrypt and strip off the padding you would get the same plaintext