Amazon Encryption SDK Concepts: Difference between revisions
No edit summary |
|||
Line 12: | Line 12: | ||
=Data Key Management= | =Data Key Management= | ||
By default, the SDK uses AWS KMS as the [[Amazon_KMS_Concepts#Master_Key_Provider|master key provider]]. | By default, the SDK uses AWS KMS as the [[Amazon_KMS_Concepts#Master_Key_Provider|master key provider]] and its [https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html GenerateDataKey] API operation to generate data keys and the [https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html Decrypt] API operation to decrypt a data key that was stored alongside cipher text. AWS KMS encrypts and decrypts the data key by using the [[Amazon_KMS_Concepts#Amazon_KMS_Customer_Master_Key|Customer Master Key]] that was specified when configuring the master key provider before the SDK use. | ||
==Data Key Caching== | ==Data Key Caching== |
Revision as of 23:12, 12 December 2018
Internal
Supported Algorithms
The library uses an AES-GCM encryption algorithm with 256-bit, 192-bit and 128-bit encryption keys. The length of the Initialization Vector is 12 bytes. The length of the authentication tag is 16 bytes. By default, the SDK uses the data key as an input to the HMAC-based extract-and-expand key derivation function (HKDF) to derive the AES-GCM encryption key, and also adds an Elliptic Curve Digital Signature Algorithm (ECDSA) signature.
Data Key Management
By default, the SDK uses AWS KMS as the master key provider and its GenerateDataKey API operation to generate data keys and the Decrypt API operation to decrypt a data key that was stored alongside cipher text. AWS KMS encrypts and decrypts the data key by using the Customer Master Key that was specified when configuring the master key provider before the SDK use.
Data Key Caching
TODO:
- https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-caching.html
- https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/faq.html