本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
設定 AWS Encryption SDK
AWS Encryption SDK 的設計易於使用。雖然 AWS Encryption SDK 有數個組態選項,但系統會仔細選擇預設值,以對大多數應用程式實用且安全。不過,您可能需要調整組態來改善效能,或在設計中包含自訂功能。
設定實作時,請檢閱 AWS Encryption SDK 最佳實務並盡可能實作。
選取程式設計語言
AWS Encryption SDK 提供多種程式設計語言。語言實作旨在完全互通,並提供相同的功能,但可能會以不同的方式實作。一般而言,您可以使用與您的應用程式相容的程式庫。不過,您可以為特定實作選取程式設計語言。例如,如果您偏好使用 keyring,您可以選擇 適用於 C 的 AWS Encryption SDK 或 適用於 JavaScript 的 AWS Encryption SDK。
選取包裝金鑰
AWS Encryption SDK 會產生唯一的對稱資料金鑰來加密每個訊息。除非您使用資料金鑰快取,否則不需要設定、管理或使用資料金鑰。會為您 AWS Encryption SDK 執行。
不過,您必須選取一或多個包裝金鑰來加密每個資料金鑰。 AWS Encryption SDK 支援不同大小的 AES 對稱金鑰和 RSA 非對稱金鑰。它也支援 AWS Key Management Service(AWS KMS) 對稱加密 AWS KMS keys。您要負責包裝金鑰的安全性和耐久性,因此我們建議您在硬體安全模組或金鑰基礎設施服務中使用加密金鑰,例如 AWS KMS。
若要指定用於加密和解密的包裝金鑰,請使用 keyring (C 和 JavaScript) 或主金鑰提供者 (Java、Python、 AWS Encryption CLI)。您可以指定一個包裝金鑰或相同或不同類型的多個包裝金鑰。如果您使用多個包裝金鑰來包裝資料金鑰,則每個包裝金鑰都會加密相同資料金鑰的副本。加密的資料金鑰 (每個包裝金鑰一個) 會與加密的資料一起存放在 AWS Encryption SDK 傳回的加密訊息中。若要解密資料, AWS Encryption SDK 必須先使用其中一個包裝金鑰來解密加密的資料金鑰。
若要在 keyring 或主金鑰提供者 AWS KMS key 中指定 ,請使用支援的 AWS KMS 金鑰識別符。如需 AWS KMS 金鑰之金鑰識別符的詳細資訊,請參閱《 AWS Key Management Service 開發人員指南》中的金鑰識別符。
-
使用 適用於 JavaScript 的 AWS Encryption SDK 適用於 Python 的 AWS Encryption SDK 適用於 JAVA 的 AWS Encryption SDK、 或 AWS Encryption CLI 加密時,您可以針對 KMS 金鑰使用任何有效的金鑰識別符 (金鑰 ID、金鑰 ARN、別名名稱或別名 ARN)。使用 加密時 適用於 C 的 AWS Encryption SDK,您只能使用金鑰 ID 或金鑰 ARN。
如果您在加密時為 KMS 金鑰指定別名名稱或別名 ARN, 會 AWS Encryption SDK 儲存目前與該別名相關聯的金鑰 ARN;不會儲存別名。別名的變更不會影響用來解密資料金鑰的 KMS 金鑰。
-
在嚴格模式下解密 (指定特定包裝金鑰) 時,您必須使用金鑰 ARN 來識別 AWS KMS keys。此要求適用於 AWS Encryption SDK的所有語言實作。
當您使用 AWS KMS keyring 加密時, 會將 的金鑰 ARN AWS Encryption SDK 存放在加密資料金鑰的中繼資料 AWS KMS key 中。在嚴格模式下解密時, AWS Encryption SDK 會驗證相同的金鑰 ARN 是否出現在 keyring (或主金鑰提供者) 中,然後再嘗試使用包裝金鑰來解密加密的資料金鑰。如果您使用不同的金鑰識別符,即使識別符參考相同的金鑰 AWS KMS key, AWS Encryption SDK 也不會識別或使用 。
若要在 keyring 中將原始 AES 金鑰或原始 RSA 金鑰對指定為包裝金鑰,您必須指定命名空間和名稱。在主金鑰提供者中, Provider ID等同於命名空間,而 Key ID 等同於名稱。解密時,您必須針對每個原始包裝金鑰使用與加密時完全相同的命名空間和名稱。如果您使用不同的命名空間或名稱,即使金鑰材料相同, AWS Encryption SDK 也不會辨識或使用包裝金鑰。
使用多區域 AWS KMS keys
您可以使用 AWS Key Management Service (AWS KMS) 多區域金鑰做為包裝金鑰 AWS Encryption SDK。如果您使用多區域金鑰進行加密 AWS 區域,則可以使用不同 中的相關多區域金鑰進行解密 AWS 區域。多區域金鑰的支援會在 的 2.3.x 版 AWS Encryption SDK 和 AWS 加密 CLI 的 3.0.x 版中推出。
AWS KMS 多區域金鑰是一組不同 AWS KMS keys 中的 AWS 區域 ,具有相同的金鑰材料和金鑰 ID。您可以使用這些相關金鑰,就像它們在不同區域中是相同的金鑰一樣。多區域金鑰支援常見的災難復原和備份案例,這些案例需要在一個區域中加密,並在不同區域中解密,而無需進行跨區域呼叫 AWS KMS。如需多區域金鑰的相關資訊,請參閱《 AWS Key Management Service 開發人員指南》中的使用多區域金鑰。
為了支援多區域金鑰, AWS Encryption SDK 包含 AWS KMS multi-Region-aware keyring 和主金鑰提供者。每個程式設計語言中新的multi-Region-aware符號都支援單一區域和多區域金鑰。
-
對於單一區域金鑰,multi-Region-aware符號的行為就像單一區域 AWS KMS keyring 和主金鑰提供者。它只會嘗試使用加密資料的單一區域金鑰來解密加密文字。
-
對於多區域金鑰,multi-Region-aware符號會嘗試使用與加密資料相同的多區域金鑰,或在您指定的區域中使用相關的多區域複本金鑰來解密加密文字。
在採用多個 KMS 金鑰的multi-Region-aware keyring 和主金鑰提供者中,您可以指定多個單一區域和多區域金鑰。不過,您只能從一組相關的多區域複本金鑰中指定一個金鑰。如果您指定多個具有相同金鑰 ID 的金鑰識別符,建構器呼叫會失敗。
您也可以搭配標準、單一區域 AWS KMS keyring 和主金鑰提供者使用多區域金鑰。不過,您必須在相同區域中使用相同的多區域金鑰來加密和解密。單一區域 keyring 和主金鑰提供者只會嘗試使用加密資料的金鑰來解密加密文字。
下列範例示範如何使用多區域金鑰和新的multi-Region-aware keyring 和主金鑰提供者來加密和解密資料。這些範例會加密 us-east-1 區域中的資料,並使用每個us-west-2區域中相關的多區域複本金鑰解密 區域中的資料。執行這些範例之前,請將範例多區域金鑰 ARN 取代為 的有效值 AWS 帳戶。
- C
-
若要使用多區域金鑰進行加密,請使用
Aws::Cryptosdk::KmsMrkAwareSymmetricKeyring::Builder()方法來實例化 keyring。指定多區域金鑰。這個簡單的範例不包含加密內容。如需在 C 中使用加密內容的範例,請參閱 加密和解密字串。
如需完整範例,請參閱 GitHub 上 適用於 C 的 AWS Encryption SDK 儲存庫中的 kms_multi_region_keys.cpp
。 /* Encrypt with a multi-Region KMS key in us-east-1 */ /* Load error strings for debugging */ aws_cryptosdk_load_error_strings(); /* Initialize a multi-Region keyring */ const char *mrk_us_east_1 = "arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab"; struct aws_cryptosdk_keyring *mrk_keyring = Aws::Cryptosdk::KmsMrkAwareSymmetricKeyring::Builder().Build(mrk_us_east_1); /* Create a session; release the keyring */ struct aws_cryptosdk_session *session = aws_cryptosdk_session_new_from_keyring_2(aws_default_allocator(), AWS_CRYPTOSDK_ENCRYPT, mrk_keyring); aws_cryptosdk_keyring_release(mrk_keyring); /* Encrypt the data * aws_cryptosdk_session_process_full is designed for non-streaming data */ aws_cryptosdk_session_process_full( session, ciphertext, ciphertext_buf_sz, &ciphertext_len, plaintext, plaintext_len)); /* Clean up the session */ aws_cryptosdk_session_destroy(session); - C# / .NET
-
若要在美國東部 (維吉尼亞北部) (us-east-1) 區域中使用多區域金鑰加密,請使用多區域金鑰的金鑰識別符和指定區域的 AWS KMS 用戶端來執行個體化
CreateAwsKmsMrkKeyringInput物件。然後使用CreateAwsKmsMrkKeyring()方法來建立 keyring。此
CreateAwsKmsMrkKeyring()方法會建立具有正好一個多區域金鑰的 keyring。若要使用包含多區域金鑰的多個包裝金鑰進行加密,請使用CreateAwsKmsMrkMultiKeyring()方法。如需完整範例,請參閱 GitHub 上 AWS Encryption SDK 適用於 .NET 儲存庫的 中的 AwsKmsMrkKeyringExample.cs
。 //Encrypt with a multi-Region KMS key in us-east-1 Region // Instantiate the AWS Encryption SDK and material providers var encryptionSdk = AwsEncryptionSdkFactory.CreateDefaultAwsEncryptionSdk(); var materialProviders = AwsCryptographicMaterialProvidersFactory.CreateDefaultAwsCryptographicMaterialProviders(); // Multi-Region keys have a distinctive key ID that begins with 'mrk' // Specify a multi-Region key in us-east-1 string mrkUSEast1 = "arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab"; // Create the keyring // You can specify the Region or get the Region from the key ARN var createMrkEncryptKeyringInput = new CreateAwsKmsMrkKeyringInput { KmsClient = new AmazonKeyManagementServiceClient(RegionEndpoint.USEast1), KmsKeyId = mrkUSEast1 }; var mrkEncryptKeyring = materialProviders.CreateAwsKmsMrkKeyring(createMrkEncryptKeyringInput); // Define the encryption context var encryptionContext = new Dictionary<string, string>() { {"purpose", "test"} }; // Encrypt your plaintext data. var encryptInput = new EncryptInput { Plaintext = plaintext, Keyring = mrkEncryptKeyring, EncryptionContext = encryptionContext }; var encryptOutput = encryptionSdk.Encrypt(encryptInput); - AWS Encryption CLI
-
此範例會在 us-east-1 區域中的多區域金鑰下加密
hello.txt檔案。由於範例會指定具有區域元素的金鑰 ARN,因此此範例不會使用--wrapping-keys參數的區域屬性。當包裝金鑰的金鑰 ID 未指定區域時,您可以使用 的區域屬性
--wrapping-keys來指定區域,例如--wrapping-keys key=$keyID region=us-east-1。# Encrypt with a multi-Region KMS key in us-east-1 Region # To run this example, replace the fictitious key ARN with a valid value. $ mrkUSEast1=arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab $ aws-encryption-cli --encrypt \ --input hello.txt \ --wrapping-keys key=$mrkUSEast1 \ --metadata-output ~/metadata \ --encryption-context purpose=test \ --output . - Java
-
若要使用多區域金鑰加密,請執行個體化
AwsKmsMrkAwareMasterKeyProvider並指定多區域金鑰。如需完整範例,請參閱 GitHub 上儲存 適用於 JAVA 的 AWS Encryption SDK 庫BasicMultiRegionKeyEncryptionExample.java
中的 。 //Encrypt with a multi-Region KMS key in us-east-1 Region // Instantiate the client final AwsCrypto crypto = AwsCrypto.builder() .withCommitmentPolicy(CommitmentPolicy.RequireEncryptRequireDecrypt) .build(); // Multi-Region keys have a distinctive key ID that begins with 'mrk' // Specify a multi-Region key in us-east-1 final String mrkUSEast1 = "arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab"; // Instantiate an AWS KMS master key provider in strict mode for multi-Region keys // Configure it to encrypt with the multi-Region key in us-east-1 final AwsKmsMrkAwareMasterKeyProvider kmsMrkProvider = AwsKmsMrkAwareMasterKeyProvider .builder() .buildStrict(mrkUSEast1); // Create an encryption context final Map<String, String> encryptionContext = Collections.singletonMap("Purpose", "Test"); // Encrypt your plaintext data final CryptoResult<byte[], AwsKmsMrkAwareMasterKey> encryptResult = crypto.encryptData( kmsMrkProvider, encryptionContext, sourcePlaintext); byte[] ciphertext = encryptResult.getResult(); - JavaScript Browser
-
若要使用多區域金鑰加密,請使用
buildAwsKmsMrkAwareStrictMultiKeyringBrowser()方法來建立 keyring 並指定多區域金鑰。如需完整範例,請參閱 GitHub 上 適用於 JavaScript 的 AWS Encryption SDK 儲存庫中的 kms_multi_region_simple.ts
。 /* Encrypt with a multi-Region KMS key in us-east-1 Region */ import { buildAwsKmsMrkAwareStrictMultiKeyringBrowser, buildClient, CommitmentPolicy, KMS, } from '@aws-crypto/client-browser' /* Instantiate an AWS Encryption SDK client */ const { encrypt } = buildClient( CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) declare const credentials: { accessKeyId: string secretAccessKey: string sessionToken: string } /* Instantiate an AWS KMS client * The 適用於 JavaScript 的 AWS Encryption SDK gets the Region from the key ARN */ const clientProvider = (region: string) => new KMS({ region, credentials }) /* Specify a multi-Region key in us-east-1 */ const multiRegionUsEastKey = 'arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab' /* Instantiate the keyring */ const encryptKeyring = buildAwsKmsMrkAwareStrictMultiKeyringBrowser({ generatorKeyId: multiRegionUsEastKey, clientProvider, }) /* Set the encryption context */ const context = { purpose: 'test', } /* Test data to encrypt */ const cleartext = new Uint8Array([1, 2, 3, 4, 5]) /* Encrypt the data */ const { result } = await encrypt(encryptKeyring, cleartext, { encryptionContext: context, }) - JavaScript Node.js
-
若要使用多區域金鑰加密,請使用
buildAwsKmsMrkAwareStrictMultiKeyringNode()方法來建立 keyring 並指定多區域金鑰。如需完整範例,請參閱 GitHub 上 適用於 JavaScript 的 AWS Encryption SDK 儲存庫中的 kms_multi_region_simple.ts
。 //Encrypt with a multi-Region KMS key in us-east-1 Region import { buildClient } from '@aws-crypto/client-node' /* Instantiate the AWS Encryption SDK client const { encrypt } = buildClient( CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) /* Test string to encrypt */ const cleartext = 'asdf' /* Multi-Region keys have a distinctive key ID that begins with 'mrk' * Specify a multi-Region key in us-east-1 */ const multiRegionUsEastKey = 'arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab' /* Create an AWS KMS keyring */ const mrkEncryptKeyring = buildAwsKmsMrkAwareStrictMultiKeyringNode({ generatorKeyId: multiRegionUsEastKey, }) /* Specify an encryption context */ const context = { purpose: 'test', } /* Create an encryption keyring */ const { result } = await encrypt(mrkEncryptKeyring, cleartext, { encryptionContext: context, }) - Python
-
若要使用 AWS KMS 多區域金鑰加密,請使用
MRKAwareStrictAwsKmsMasterKeyProvider()方法並指定多區域金鑰。如需完整範例,請參閱 GitHub 上 適用於 Python 的 AWS Encryption SDK 儲存庫中的 mrk_aware_kms_provider.py
。 * Encrypt with a multi-Region KMS key in us-east-1 Region # Instantiate the client client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) # Specify a multi-Region key in us-east-1 mrk_us_east_1 = "arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab" # Use the multi-Region method to create the master key provider # in strict mode strict_mrk_key_provider = MRKAwareStrictAwsKmsMasterKeyProvider( key_ids=[mrk_us_east_1] ) # Set the encryption context encryption_context = { "purpose": "test" } # Encrypt your plaintext data ciphertext, encrypt_header = client.encrypt( source=source_plaintext, encryption_context=encryption_context, key_provider=strict_mrk_key_provider )
接下來,將您的加密文字移至 us-west-2區域。您不需要重新加密加密文字。
若要在us-west-2區域中以嚴格模式解密加密文字,請使用us-west-2區域中相關multi-Region-aware符號。如果您在不同區域 (包括加密的 ) 中指定相關多區域金鑰的金鑰 ARNus-east-1,multi-Region-aware符號會為此發出跨區域呼叫 AWS KMS key。
在嚴格模式下解密時,multi-Region-aware符號需要金鑰 ARN。它只接受一組相關多區域金鑰中的一個金鑰 ARN。
執行這些範例之前,請將範例多區域金鑰 ARN 取代為 中的有效值 AWS 帳戶。
- C
-
若要使用多區域金鑰在嚴格模式下解密,請使用
Aws::Cryptosdk::KmsMrkAwareSymmetricKeyring::Builder()方法來執行個體化 keyring。在本機 (us-west-2) 區域中指定相關的多區域金鑰。如需完整範例,請參閱 GitHub 上 適用於 C 的 AWS Encryption SDK 儲存庫中的 kms_multi_region_keys.cpp
。 /* Decrypt with a related multi-Region KMS key in us-west-2 Region */ /* Load error strings for debugging */ aws_cryptosdk_load_error_strings(); /* Initialize a multi-Region keyring */ const char *mrk_us_west_2 = "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab"; struct aws_cryptosdk_keyring *mrk_keyring = Aws::Cryptosdk::KmsMrkAwareSymmetricKeyring::Builder().Build(mrk_us_west_2); /* Create a session; release the keyring */ struct aws_cryptosdk_session *session = aws_cryptosdk_session_new_from_keyring_2(aws_default_allocator(), AWS_CRYPTOSDK_ENCRYPT, mrk_keyring); aws_cryptosdk_session_set_commitment_policy(session, COMMITMENT_POLICY_REQUIRE_ENCRYPT_REQUIRE_DECRYPT); aws_cryptosdk_keyring_release(mrk_keyring); /* Decrypt the ciphertext * aws_cryptosdk_session_process_full is designed for non-streaming data */ aws_cryptosdk_session_process_full( session, plaintext, plaintext_buf_sz, &plaintext_len, ciphertext, ciphertext_len)); /* Clean up the session */ aws_cryptosdk_session_destroy(session); - C# / .NET
-
若要使用單一多區域金鑰在嚴格模式下解密,請使用您用來組合輸入和建立用於加密的 keyring 的相同建構函式和方法。使用相關多區域金鑰的金鑰 ARN 和美國西部 (奧勒岡) (us-west-2) 區域的 AWS KMS 用戶端來實例化
CreateAwsKmsMrkKeyringInput物件。然後使用CreateAwsKmsMrkKeyring()方法建立具有一個多區域 KMS 金鑰的多區域 keyring。如需完整範例,請參閱 GitHub 上 AWS Encryption SDK for .NET 儲存庫中的 AwsKmsMrkKeyringExample.cs
。 // Decrypt with a related multi-Region KMS key in us-west-2 Region // Instantiate the AWS Encryption SDK and material providers var encryptionSdk = AwsEncryptionSdkFactory.CreateDefaultAwsEncryptionSdk(); var materialProviders = AwsCryptographicMaterialProvidersFactory.CreateDefaultAwsCryptographicMaterialProviders(); // Specify the key ARN of the multi-Region key in us-west-2 string mrkUSWest2 = "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab"; // Instantiate the keyring input // You can specify the Region or get the Region from the key ARN var createMrkDecryptKeyringInput = new CreateAwsKmsMrkKeyringInput { KmsClient = new AmazonKeyManagementServiceClient(RegionEndpoint.USWest2), KmsKeyId = mrkUSWest2 }; // Create the multi-Region keyring var mrkDecryptKeyring = materialProviders.CreateAwsKmsMrkKeyring(createMrkDecryptKeyringInput); // Decrypt the ciphertext var decryptInput = new DecryptInput { Ciphertext = ciphertext, Keyring = mrkDecryptKeyring }; var decryptOutput = encryptionSdk.Decrypt(decryptInput); - AWS Encryption CLI
-
若要使用 us-west-2 區域中相關的多區域金鑰解密,請使用
--wrapping-keys參數的金鑰屬性來指定其金鑰 ARN。# Decrypt with a related multi-Region KMS key in us-west-2 Region # To run this example, replace the fictitious key ARN with a valid value. $ mrkUSWest2=arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab $ aws-encryption-cli --decrypt \ --input hello.txt.encrypted \ --wrapping-keys key=$mrkUSWest2 \ --commitment-policy require-encrypt-require-decrypt \ --encryption-context purpose=test \ --metadata-output ~/metadata \ --max-encrypted-data-keys 1 \ --buffer \ --output . - Java
-
若要以嚴格模式解密,請執行個體化 ,
AwsKmsMrkAwareMasterKeyProvider並在本機 (us-west-2) 區域中指定相關的多區域金鑰。如需完整範例,請參閱 GitHub 上 適用於 JAVA 的 AWS Encryption SDK 儲存庫中的 BasicMultiRegionKeyEncryptionExample.java
。 // Decrypt with a related multi-Region KMS key in us-west-2 Region // Instantiate the client final AwsCrypto crypto = AwsCrypto.builder() .withCommitmentPolicy(CommitmentPolicy.RequireEncryptRequireDecrypt) .build(); // Related multi-Region keys have the same key ID. Their key ARNs differs only in the Region field. String mrkUSWest2 = "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab"; // Use the multi-Region method to create the master key provider // in strict mode AwsKmsMrkAwareMasterKeyProvider kmsMrkProvider = AwsKmsMrkAwareMasterKeyProvider.builder() .buildStrict(mrkUSWest2); // Decrypt your ciphertext CryptoResult<byte[], AwsKmsMrkAwareMasterKey> decryptResult = crypto.decryptData( kmsMrkProvider, ciphertext); byte[] decrypted = decryptResult.getResult(); - JavaScript Browser
-
若要在嚴格模式下解密,請使用
buildAwsKmsMrkAwareStrictMultiKeyringBrowser()方法來建立 keyring,並在本機 (us-west-2) 區域中指定相關的多區域金鑰。如需完整範例,請參閱 GitHub 上 適用於 JavaScript 的 AWS Encryption SDK 儲存庫中的 kms_multi_region_simple.ts
。 /* Decrypt with a related multi-Region KMS key in us-west-2 Region */ import { buildAwsKmsMrkAwareStrictMultiKeyringBrowser, buildClient, CommitmentPolicy, KMS, } from '@aws-crypto/client-browser' /* Instantiate an AWS Encryption SDK client */ const { decrypt } = buildClient( CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) declare const credentials: { accessKeyId: string secretAccessKey: string sessionToken: string } /* Instantiate an AWS KMS client * The 適用於 JavaScript 的 AWS Encryption SDK gets the Region from the key ARN */ const clientProvider = (region: string) => new KMS({ region, credentials }) /* Specify a multi-Region key in us-west-2 */ const multiRegionUsWestKey = 'arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab' /* Instantiate the keyring */ const mrkDecryptKeyring = buildAwsKmsMrkAwareStrictMultiKeyringBrowser({ generatorKeyId: multiRegionUsWestKey, clientProvider, }) /* Decrypt the data */ const { plaintext, messageHeader } = await decrypt(mrkDecryptKeyring, result) - JavaScript Node.js
-
若要在嚴格模式下解密,請使用
buildAwsKmsMrkAwareStrictMultiKeyringNode()方法來建立 keyring,並在本機 (us-west-2) 區域中指定相關的多區域金鑰。如需完整範例,請參閱 GitHub 上 適用於 JavaScript 的 AWS Encryption SDK 儲存庫中的 kms_multi_region_simple.ts
。 /* Decrypt with a related multi-Region KMS key in us-west-2 Region */ import { buildClient } from '@aws-crypto/client-node' /* Instantiate the client const { decrypt } = buildClient( CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) /* Multi-Region keys have a distinctive key ID that begins with 'mrk' * Specify a multi-Region key in us-west-2 */ const multiRegionUsWestKey = 'arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab' /* Create an AWS KMS keyring */ const mrkDecryptKeyring = buildAwsKmsMrkAwareStrictMultiKeyringNode({ generatorKeyId: multiRegionUsWestKey, }) /* Decrypt your ciphertext */ const { plaintext, messageHeader } = await decrypt(decryptKeyring, result) - Python
-
若要以嚴格模式解密,請使用
MRKAwareStrictAwsKmsMasterKeyProvider()方法來建立主金鑰提供者。在本機 (us-west-2) 區域中指定相關的多區域金鑰。如需完整範例,請參閱 GitHub 上 適用於 Python 的 AWS Encryption SDK 儲存庫中的 mrk_aware_kms_provider.py
。 # Decrypt with a related multi-Region KMS key in us-west-2 Region # Instantiate the client client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) # Related multi-Region keys have the same key ID. Their key ARNs differs only in the Region field mrk_us_west_2 = "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab" # Use the multi-Region method to create the master key provider # in strict mode strict_mrk_key_provider = MRKAwareStrictAwsKmsMasterKeyProvider( key_ids=[mrk_us_west_2] ) # Decrypt your ciphertext plaintext, _ = client.decrypt( source=ciphertext, key_provider=strict_mrk_key_provider )
您也可以使用 AWS KMS 多區域金鑰在探索模式中解密。在探索模式中解密時,您不會指定任何 AWS KMS keys。(如需單一區域 AWS KMS 探索 keyring 的資訊,請參閱 使用 AWS KMS 探索 keyring。)
如果您使用多區域金鑰加密,探索模式中的multi-Region-aware符號會嘗試使用本機區域中的相關多區域金鑰來解密。如果不存在,呼叫會失敗。在探索模式中, AWS Encryption SDK 不會嘗試對用於加密的多區域金鑰進行跨區域呼叫。
注意
如果您在探索模式中使用multi-Region-aware符號來加密資料,加密操作會失敗。
下列範例示範如何在探索模式中使用multi-Region-aware符號進行解密。由於您未指定 AWS KMS key,因此 AWS Encryption SDK 必須從不同的來源取得 區域。如果可能,請明確指定本機區域。否則, 會從軟體 AWS 開發套件中為您的程式設計語言設定的 區域 AWS Encryption SDK 取得本機區域。
執行這些範例之前,請將範例帳戶 ID 和多區域金鑰 ARN 取代為 中的有效值 AWS 帳戶。
- C
-
若要使用多區域金鑰在探索模式中解密,請使用
Aws::Cryptosdk::KmsMrkAwareSymmetricKeyring::Builder()方法建置 keyring,並使用Aws::Cryptosdk::KmsKeyring::DiscoveryFilter::Builder()方法建置探索篩選條件。若要指定本機區域,請定義ClientConfiguration並在用戶端中 AWS KMS 指定它。如需完整範例,請參閱 GitHub 上 適用於 C 的 AWS Encryption SDK 儲存庫中的 kms_multi_region_keys.cpp
。 /* Decrypt in discovery mode with a multi-Region KMS key */ /* Load error strings for debugging */ aws_cryptosdk_load_error_strings(); /* Construct a discovery filter for the account and partition. The * filter is optional, but it's a best practice that we recommend. */ const char *account_id = "111122223333"; const char *partition = "aws"; const std::shared_ptr<Aws::Cryptosdk::KmsKeyring::DiscoveryFilter> discovery_filter = Aws::Cryptosdk::KmsKeyring::DiscoveryFilter::Builder(partition).AddAccount(account_id).Build(); /* Create an AWS KMS client in the desired region. */ const char *region = "us-west-2"; Aws::Client::ClientConfiguration client_config; client_config.region = region; const std::shared_ptr<Aws::KMS::KMSClient> kms_client = Aws::MakeShared<Aws::KMS::KMSClient>("AWS_SAMPLE_CODE", client_config); struct aws_cryptosdk_keyring *mrk_keyring = Aws::Cryptosdk::KmsMrkAwareSymmetricKeyring::Builder() .WithKmsClient(kms_client) .BuildDiscovery(region, discovery_filter); /* Create a session; release the keyring */ struct aws_cryptosdk_session *session = aws_cryptosdk_session_new_from_keyring_2(aws_default_allocator(), AWS_CRYPTOSDK_DECRYPT, mrk_keyring); aws_cryptosdk_keyring_release(mrk_keyring); commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT /* Decrypt the ciphertext * aws_cryptosdk_session_process_full is designed for non-streaming data */ aws_cryptosdk_session_process_full( session, plaintext, plaintext_buf_sz, &plaintext_len, ciphertext, ciphertext_len)); /* Clean up the session */ aws_cryptosdk_session_destroy(session); - C# / .NET
-
若要在適用於 .NET AWS Encryption SDK 的 中建立multi-Region-aware探索 keyring,請執行個體化接受特定 AWS KMS 用戶端的
CreateAwsKmsMrkDiscoveryKeyringInput物件 AWS 區域,以及將 KMS 金鑰限制在特定 AWS 分割區和帳戶的選用探索篩選條件。然後使用輸入物件呼叫CreateAwsKmsMrkDiscoveryKeyring()方法。如需完整範例,請參閱 GitHub 上 AWS Encryption SDK 適用於 .NET 儲存庫的 中的 AwsKmsMrkDiscoveryKeyringExample.cs。 若要為多個 建立multi-Region-aware探索 keyring AWS 區域,請使用
CreateAwsKmsMrkDiscoveryMultiKeyring()方法建立多區域感知探索 keyring,或使用CreateAwsKmsMrkDiscoveryKeyring()建立多個多區域感知探索 keyring,然後使用CreateMultiKeyring()方法在多金鑰集中合併它們。 multi-Region-aware如需範例,請參閱 AwsKmsMrkDiscoveryMultiKeyringExample.cs
。 // Decrypt in discovery mode with a multi-Region KMS key // Instantiate the AWS Encryption SDK and material providers var encryptionSdk = AwsEncryptionSdkFactory.CreateDefaultAwsEncryptionSdk(); var materialProviders = AwsCryptographicMaterialProvidersFactory.CreateDefaultAwsCryptographicMaterialProviders(); List<string> account = new List<string> { "111122223333" }; // Instantiate the discovery filter DiscoveryFilter mrkDiscoveryFilter = new DiscoveryFilter() { AccountIds = account, Partition = "aws" } // Create the keyring var createMrkDiscoveryKeyringInput = new CreateAwsKmsMrkDiscoveryKeyringInput { KmsClient = new AmazonKeyManagementServiceClient(RegionEndpoint.USWest2), DiscoveryFilter = mrkDiscoveryFilter }; var mrkDiscoveryKeyring = materialProviders.CreateAwsKmsMrkDiscoveryKeyring(createMrkDiscoveryKeyringInput); // Decrypt the ciphertext var decryptInput = new DecryptInput { Ciphertext = ciphertext, Keyring = mrkDiscoveryKeyring }; var decryptOutput = encryptionSdk.Decrypt(decryptInput); - AWS Encryption CLI
-
若要在探索模式中解密,請使用
--wrapping-keys參數的探索屬性。探索帳戶和探索分割區屬性會建立選用但建議的探索篩選條件。若要指定區域,此命令包含
--wrapping-keys參數的區域屬性。# Decrypt in discovery mode with a multi-Region KMS key $ aws-encryption-cli --decrypt \ --input hello.txt.encrypted \ --wrapping-keys discovery=true \ discovery-account=111122223333 \ discovery-partition=aws \ region=us-west-2 \ --encryption-context purpose=test \ --metadata-output ~/metadata \ --max-encrypted-data-keys 1 \ --buffer \ --output . - Java
-
若要指定本機區域,請使用
builder().withDiscoveryMrkRegion參數。否則, 會從 中設定的 區域 AWS Encryption SDK 取得本機區域AWS SDK for Java。如需完整範例,請參閱 GitHub 上 適用於 JAVA 的 AWS Encryption SDK 儲存庫中的 DiscoveryMultiRegionDecryptionExample.java
。 // Decrypt in discovery mode with a multi-Region KMS key // Instantiate the client final AwsCrypto crypto = AwsCrypto.builder() .withCommitmentPolicy(CommitmentPolicy.RequireEncryptRequireDecrypt) .build(); DiscoveryFilter discoveryFilter = new DiscoveryFilter("aws", 111122223333); AwsKmsMrkAwareMasterKeyProvider mrkDiscoveryProvider = AwsKmsMrkAwareMasterKeyProvider .builder() .withDiscoveryMrkRegion(Region.US_WEST_2) .buildDiscovery(discoveryFilter); // Decrypt your ciphertext final CryptoResult<byte[], AwsKmsMrkAwareMasterKey> decryptResult = crypto .decryptData(mrkDiscoveryProvider, ciphertext); - JavaScript Browser
-
若要使用對稱多區域金鑰在探索模式中解密,請使用
AwsKmsMrkAwareSymmetricDiscoveryKeyringBrowser()方法。如需完整範例,請參閱 GitHub 上 適用於 JavaScript 的 AWS Encryption SDK 儲存庫中的 kms_multi_region_discovery.ts
。 /* Decrypt in discovery mode with a multi-Region KMS key */ import { AwsKmsMrkAwareSymmetricDiscoveryKeyringBrowser, buildClient, CommitmentPolicy, KMS, } from '@aws-crypto/client-browser' /* Instantiate an AWS Encryption SDK client */ const { decrypt } = buildClient() declare const credentials: { accessKeyId: string secretAccessKey: string sessionToken: string } /* Instantiate the KMS client with an explicit Region */ const client = new KMS({ region: 'us-west-2', credentials }) /* Create a discovery filter */ const discoveryFilter = { partition: 'aws', accountIDs: ['111122223333'] } /* Create an AWS KMS discovery keyring */ const mrkDiscoveryKeyring = new AwsKmsMrkAwareSymmetricDiscoveryKeyringBrowser({ client, discoveryFilter, }) /* Decrypt the data */ const { plaintext, messageHeader } = await decrypt(mrkDiscoveryKeyring, ciphertext) - JavaScript Node.js
-
若要使用對稱多區域金鑰在探索模式中解密,請使用
AwsKmsMrkAwareSymmetricDiscoveryKeyringNode()方法。如需完整範例,請參閱 GitHub 上 適用於 JavaScript 的 AWS Encryption SDK 儲存庫中的 kms_multi_region_discovery.ts
。 /* Decrypt in discovery mode with a multi-Region KMS key */ import { AwsKmsMrkAwareSymmetricDiscoveryKeyringNode, buildClient, CommitmentPolicy, KMS, } from '@aws-crypto/client-node' /* Instantiate the Encryption SDK client const { decrypt } = buildClient() /* Instantiate the KMS client with an explicit Region */ const client = new KMS({ region: 'us-west-2' }) /* Create a discovery filter */ const discoveryFilter = { partition: 'aws', accountIDs: ['111122223333'] } /* Create an AWS KMS discovery keyring */ const mrkDiscoveryKeyring = new AwsKmsMrkAwareSymmetricDiscoveryKeyringNode({ client, discoveryFilter, }) /* Decrypt your ciphertext */ const { plaintext, messageHeader } = await decrypt(mrkDiscoveryKeyring, result) - Python
-
若要使用多區域金鑰在探索模式中解密,請使用
MRKAwareDiscoveryAwsKmsMasterKeyProvider()方法。如需完整範例,請參閱 GitHub 上 適用於 Python 的 AWS Encryption SDK 儲存庫中的 mrk_aware_kms_provider.py
。 # Decrypt in discovery mode with a multi-Region KMS key # Instantiate the client client = aws_encryption_sdk.EncryptionSDKClient() # Create the discovery filter and specify the region decrypt_kwargs = dict( discovery_filter=DiscoveryFilter(account_ids="111122223333", partition="aws"), discovery_region="us-west-2", ) # Use the multi-Region method to create the master key provider # in discovery mode mrk_discovery_key_provider = MRKAwareDiscoveryAwsKmsMasterKeyProvider(**decrypt_kwargs) # Decrypt your ciphertext plaintext, _ = client.decrypt( source=ciphertext, key_provider=mrk_discovery_key_provider )
選擇演算法套件
AWS Encryption SDK 支援數種對稱和非對稱加密演算法,以在您指定的包裝金鑰下加密資料金鑰。不過,當它使用這些資料金鑰來加密您的資料時, 會 AWS Encryption SDK 預設為使用 AES-GCM 演算法搭配金鑰衍生、數位簽章和金鑰承諾的建議演算法套件。雖然預設演算法套件可能適用於大多數應用程式,但您可以選擇替代演算法套件。例如,某些信任模型將由沒有數位簽章的演算法套件所滿足。如需 AWS Encryption SDK 支援的演算法套件相關資訊,請參閱 AWS Encryption SDK中的支援演算法套件。
下列範例示範如何在加密時選取替代演算法套件。這些範例會選取建議的 AES-GCM 演算法套件,其中包含金鑰衍生和金鑰承諾,但不含數位簽章。當您使用不包含數位簽章的演算法套件進行加密時,請在解密時使用未簽署的僅限解密模式。此模式如果遇到簽署的加密文字,則失敗在串流解密時最有用。
- C
-
若要在 中指定替代演算法套件 適用於 C 的 AWS Encryption SDK,您必須明確建立 CMM。然後使用
aws_cryptosdk_default_cmm_set_alg_id搭配 CMM 和選取的演算法套件。/* Specify an algorithm suite without signing */ /* Load error strings for debugging */ aws_cryptosdk_load_error_strings(); /* Construct an AWS KMS keyring */ struct aws_cryptosdk_keyring *kms_keyring = Aws::Cryptosdk::KmsKeyring::Builder().Build(key_arn); /* To set an alternate algorithm suite, create an cryptographic materials manager (CMM) explicitly */ struct aws_cryptosdk_cmm *cmm = aws_cryptosdk_default_cmm_new(aws_default_allocator(), kms_keyring); aws_cryptosdk_keyring_release(kms_keyring); /* Specify the algorithm suite for the CMM */ aws_cryptosdk_default_cmm_set_alg_id(cmm, ALG_AES256_GCM_HKDF_SHA512_COMMIT_KEY); /* Construct the session with the CMM, then release the CMM reference */ struct aws_cryptosdk_session *session = aws_cryptosdk_session_new_from_cmm_2(alloc, AWS_CRYPTOSDK_ENCRYPT, cmm); aws_cryptosdk_cmm_release(cmm); /* Encrypt the data Use aws_cryptosdk_session_process_full with non-streaming data */ if (AWS_OP_SUCCESS != aws_cryptosdk_session_process_full( session, ciphertext, ciphertext_buf_sz, &ciphertext_len, plaintext, plaintext_len)) { aws_cryptosdk_session_destroy(session); return AWS_OP_ERR; }解密在沒有數位簽章的情況下加密的資料時,請使用
AWS_CRYPTOSDK_DECRYPT_UNSIGNED。如果解密遇到簽署的加密文字,這會導致解密失敗。/* Decrypt unsigned streaming data */ /* Load error strings for debugging */ aws_cryptosdk_load_error_strings(); /* Construct an AWS KMS keyring */ struct aws_cryptosdk_keyring *kms_keyring = Aws::Cryptosdk::KmsKeyring::Builder().Build(key_arn); /* Create a session for decrypting with the AWS KMS keyring Then release the keyring reference */ struct aws_cryptosdk_session *session = aws_cryptosdk_session_new_from_keyring_2(alloc, AWS_CRYPTOSDK_DECRYPT_UNSIGNED, kms_keyring); aws_cryptosdk_keyring_release(kms_keyring); if (!session) { return AWS_OP_ERR; } /* Limit encrypted data keys */ aws_cryptosdk_session_set_max_encrypted_data_keys(session, 1); /* Decrypt Use aws_cryptosdk_session_process_full with non-streaming data */ if (AWS_OP_SUCCESS != aws_cryptosdk_session_process_full( session, plaintext, plaintext_buf_sz, &plaintext_len, ciphertext, ciphertext_len)) { aws_cryptosdk_session_destroy(session); return AWS_OP_ERR; } - C# / .NET
-
若要在 AWS Encryption SDK 適用於 .NET 的 中指定替代演算法套件,請指定 EncryptInput
物件的 AlgorithmSuiteId屬性。 AWS Encryption SDK for .NET 包含常數,可用於識別您偏好的演算法套件。 AWS Encryption SDK 適用於 .NET 的 沒有在串流解密時偵測已簽署加密文字的方法,因為此程式庫不支援串流資料。
// Specify an algorithm suite without signing // Instantiate the AWS Encryption SDK and material providers var encryptionSdk = AwsEncryptionSdkFactory.CreateDefaultAwsEncryptionSdk(); var materialProviders = AwsCryptographicMaterialProvidersFactory.CreateDefaultAwsCryptographicMaterialProviders(); // Create the keyring var keyringInput = new CreateAwsKmsKeyringInput { KmsClient = new AmazonKeyManagementServiceClient(), KmsKeyId = keyArn }; var keyring = materialProviders.CreateAwsKmsKeyring(keyringInput); // Encrypt your plaintext data var encryptInput = new EncryptInput { Plaintext = plaintext, Keyring = keyring, AlgorithmSuiteId = AlgorithmSuiteId.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY }; var encryptOutput = encryptionSdk.Encrypt(encryptInput); - AWS Encryption CLI
-
加密
hello.txt檔案時,此範例會使用--algorithm參數來指定沒有數位簽章的演算法套件。# Specify an algorithm suite without signing # To run this example, replace the fictitious key ARN with a valid value. $ keyArn=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab $ aws-encryption-cli --encrypt \ --input hello.txt \ --wrapping-keys key=$keyArn \ --algorithm AES_256_GCM_HKDF_SHA512_COMMIT_KEY \ --metadata-output ~/metadata \ --encryption-context purpose=test \ --commitment-policy require-encrypt-require-decrypt \ --output hello.txt.encrypted \ --decode解密時,此範例會使用
--decrypt-unsigned參數。建議您使用此參數,以確保您解密未簽章的密碼文字,尤其是使用一律串流輸入和輸出的 CLI。# Decrypt unsigned streaming data # To run this example, replace the fictitious key ARN with a valid value. $ keyArn=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab $ aws-encryption-cli --decrypt-unsigned \ --input hello.txt.encrypted \ --wrapping-keys key=$keyArn \ --max-encrypted-data-keys 1 \ --commitment-policy require-encrypt-require-decrypt \ --encryption-context purpose=test \ --metadata-output ~/metadata \ --output . - Java
-
若要指定替代演算法套件,請使用
AwsCrypto.builder().withEncryptionAlgorithm()方法。此範例指定沒有數位簽章的替代演算法套件。// Specify an algorithm suite without signing // Instantiate the client AwsCrypto crypto = AwsCrypto.builder() .withCommitmentPolicy(CommitmentPolicy.RequireEncryptRequireDecrypt) .withEncryptionAlgorithm(CryptoAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY) .build(); String awsKmsKey = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; // Create a master key provider in strict mode KmsMasterKeyProvider masterKeyProvider = KmsMasterKeyProvider.builder() .buildStrict(awsKmsKey); // Create an encryption context to identify this ciphertext Map<String, String> encryptionContext = Collections.singletonMap("Example", "FileStreaming"); // Encrypt your plaintext data CryptoResult<byte[], KmsMasterKey> encryptResult = crypto.encryptData( masterKeyProvider, sourcePlaintext, encryptionContext); byte[] ciphertext = encryptResult.getResult();串流解密資料時,請使用
createUnsignedMessageDecryptingStream()方法,確保您解密的所有加密文字都未簽署。// Decrypt unsigned streaming data // Instantiate the client AwsCrypto crypto = AwsCrypto.builder() .withCommitmentPolicy(CommitmentPolicy.RequireEncryptRequireDecrypt) .withMaxEncryptedDataKeys(1) .build(); // Create a master key provider in strict mode String awsKmsKey = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; KmsMasterKeyProvider masterKeyProvider = KmsMasterKeyProvider.builder() .buildStrict(awsKmsKey); // Decrypt the encrypted message FileInputStream in = new FileInputStream(srcFile + ".encrypted"); CryptoInputStream<KmsMasterKey> decryptingStream = crypto.createUnsignedMessageDecryptingStream(masterKeyProvider, in); // Return the plaintext data // Write the plaintext data to disk FileOutputStream out = new FileOutputStream(srcFile + ".decrypted"); IOUtils.copy(decryptingStream, out); decryptingStream.close(); - JavaScript Browser
-
若要指定替代演算法套件,請使用
suiteId參數搭配AlgorithmSuiteIdentifier列舉值。// Specify an algorithm suite without signing // Instantiate the client const { encrypt } = buildClient( CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) // Specify a KMS key const generatorKeyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; // Create a keyring with the KMS key const keyring = new KmsKeyringBrowser({ generatorKeyId }) // Encrypt your plaintext data const { result } = await encrypt(keyring, cleartext, { suiteId: AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA512_COMMIT_KEY, encryptionContext: context, })解密時,請使用標準
decrypt方法。在瀏覽器 適用於 JavaScript 的 AWS Encryption SDK 中 沒有decrypt-unsigned模式,因為瀏覽器不支援串流。// Decrypt unsigned streaming data // Instantiate the client const { decrypt } = buildClient( CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) // Create a keyring with the same KMS key used to encrypt const generatorKeyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; const keyring = new KmsKeyringBrowser({ generatorKeyId }) // Decrypt the encrypted message const { plaintext, messageHeader } = await decrypt(keyring, ciphertextMessage) - JavaScript Node.js
-
若要指定替代演算法套件,請使用
suiteId參數搭配AlgorithmSuiteIdentifier列舉值。// Specify an algorithm suite without signing // Instantiate the client const { encrypt } = buildClient( CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) // Specify a KMS key const generatorKeyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; // Create a keyring with the KMS key const keyring = new KmsKeyringNode({ generatorKeyId }) // Encrypt your plaintext data const { result } = await encrypt(keyring, cleartext, { suiteId: AlgorithmSuiteIdentifier.ALG_AES256_GCM_IV12_TAG16_HKDF_SHA512_COMMIT_KEY, encryptionContext: context, })解密在沒有數位簽章的情況下加密的資料時,請使用 decryptUnsignedMessageStream。如果遇到簽署的密碼文字,此方法會失敗。
// Decrypt unsigned streaming data // Instantiate the client const { decryptUnsignedMessageStream } = buildClient( CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT ) // Create a keyring with the same KMS key used to encrypt const generatorKeyId = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; const keyring = new KmsKeyringNode({ generatorKeyId }) // Decrypt the encrypted message const outputStream = createReadStream(filename) .pipe(decryptUnsignedMessageStream(keyring)) - Python
-
若要指定替代加密演算法,請使用
algorithm參數搭配Algorithm列舉值。# Specify an algorithm suite without signing # Instantiate a client client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT, max_encrypted_data_keys=1) # Create a master key provider in strict mode aws_kms_key = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" aws_kms_strict_master_key_provider = StrictAwsKmsMasterKeyProvider( key_ids=[aws_kms_key] ) # Encrypt the plaintext using an alternate algorithm suite ciphertext, encrypted_message_header = client.encrypt( algorithm=Algorithm.AES_256_GCM_HKDF_SHA512_COMMIT_KEY, source=source_plaintext, key_provider=kms_key_provider )解密沒有數位簽章的加密訊息時,請使用
decrypt-unsigned串流模式,特別是在串流時解密時。# Decrypt unsigned streaming data # Instantiate the client client = aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT, max_encrypted_data_keys=1) # Create a master key provider in strict mode aws_kms_key = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" aws_kms_strict_master_key_provider = StrictAwsKmsMasterKeyProvider( key_ids=[aws_kms_key] ) # Decrypt with decrypt-unsigned with open(ciphertext_filename, "rb") as ciphertext, open(cycled_plaintext_filename, "wb") as plaintext: with client.stream(mode="decrypt-unsigned", source=ciphertext, key_provider=master_key_provider) as decryptor: for chunk in decryptor: plaintext.write(chunk) # Verify that the encryption context assert all( pair in decryptor.header.encryption_context.items() for pair in encryptor.header.encryption_context.items() ) return ciphertext_filename, cycled_plaintext_filename - Rust
-
若要在 AWS Encryption SDK for Rust 的 中指定替代演算法套件,請在加密請求中指定
algorithm_suite_id屬性。// Instantiate the AWS Encryption SDK client let esdk_config = AwsEncryptionSdkConfig::builder().build()?; let esdk_client = esdk_client::Client::from_conf(esdk_config)?; // Define the key namespace and key name let key_namespace: &str = "HSM_01"; let key_name: &str = "AES_256_012"; // Optional: Create an encryption context let encryption_context = HashMap::from([ ("encryption".to_string(), "context".to_string()), ("is not".to_string(), "secret".to_string()), ("but adds".to_string(), "useful metadata".to_string()), ("that can help you".to_string(), "be confident that".to_string()), ("the data you are handling".to_string(), "is what you think it is".to_string()), ]); // Instantiate the material providers library let mpl_config = MaterialProvidersConfig::builder().build()?; let mpl = mpl_client::Client::from_conf(mpl_config)?; // Create Raw AES keyring let raw_aes_keyring = mpl .create_raw_aes_keyring() .key_name(key_name) .key_namespace(key_namespace) .wrapping_key(aws_smithy_types::Blob::new(AESWrappingKey)) .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16) .send() .await?; // Encrypt your plaintext data let plaintext = example_data.as_bytes(); let encryption_response = esdk_client.encrypt() .plaintext(plaintext) .keyring(raw_aes_keyring.clone()) .encryption_context(encryption_context.clone()) .algorithm_suite_id(AlgAes256GcmHkdfSha512CommitKey) .send() .await?; - Go
-
import ( "context" mpl "aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygenerated" mpltypes "aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygeneratedtypes" client "github.com/aws/aws-encryption-sdk/awscryptographyencryptionsdksmithygenerated" esdktypes "github.com/aws/aws-encryption-sdk/awscryptographyencryptionsdksmithygeneratedtypes" ) // Instantiate the AWS Encryption SDK client encryptionClient, err := client.NewClient(esdktypes.AwsEncryptionSdkConfig{}) if err != nil { panic(err) } // Define the key namespace and key name var keyNamespace = "HSM_01" var keyName = "AES_256_012" // Optional: Create an encryption context encryptionContext := map[string]string{ "encryption": "context", "is not": "secret", "but adds": "useful metadata", "that can help you": "be confident that", "the data you are handling": "is what you think it is", } // Instantiate the material providers library matProv, err := mpl.NewClient(mpltypes.MaterialProvidersConfig{}) if err != nil { panic(err) } // Create Raw AES keyring aesKeyRingInput := mpltypes.CreateRawAesKeyringInput{ KeyName: keyName, KeyNamespace: keyNamespace, WrappingKey: key, WrappingAlg: mpltypes.AesWrappingAlgAlgAes256GcmIv12Tag16, } aesKeyring, err := matProv.CreateRawAesKeyring(context.Background(), aesKeyRingInput) if err != nil { panic(err) } // Encrypt your plaintext data algorithmSuiteId := mpltypes.ESDKAlgorithmSuiteIdAlgAes256GcmHkdfSha512CommitKeyres, err := encryptionClient.Encrypt(context.Background(), esdktypes.EncryptInput{ Plaintext: []byte(exampleText), EncryptionContext: encryptionContext, Keyring: aesKeyring, AlgorithmSuiteId: &algorithmSuiteId, }) if err != nil { panic(err) }
限制加密的資料金鑰
您可以限制加密訊息中的加密資料金鑰數量。此最佳實務功能可協助您在加密時偵測設定錯誤的 keyring,或在解密時偵測惡意密碼文字。它還可以防止對金鑰基礎設施進行不必要的、昂貴和可能詳盡的呼叫。當您從不受信任的來源解密訊息時,限制加密的資料金鑰最有價值。
雖然大多數加密訊息對於加密中使用的每個包裝金鑰都有一個加密資料金鑰,但加密的訊息最多可包含 65,535 個加密資料金鑰。惡意演員可能會建構具有數千個加密資料金鑰的加密訊息,這些金鑰都無法解密。因此, AWS Encryption SDK 會嘗試解密每個加密的資料金鑰,直到耗盡訊息中的加密資料金鑰為止。
若要限制加密的資料金鑰,請使用 MaxEncryptedDataKeys 參數。此參數適用於從 版本 1.9.x 和 2.2.x 開始的所有支援的程式設計語言。 AWS Encryption SDK在加密和解密時,這是選用且有效的。下列範例會解密在三個不同的包裝金鑰下加密的資料。MaxEncryptedDataKeys 值設定為 3。
- C
-
/* Load error strings for debugging */ aws_cryptosdk_load_error_strings(); /* Construct an AWS KMS keyring */ struct aws_cryptosdk_keyring *kms_keyring = Aws::Cryptosdk::KmsKeyring::Builder().Build(key_arn1, { key_arn2, key_arn3 }); /* Create a session */ struct aws_cryptosdk_session *session = aws_cryptosdk_session_new_from_keyring_2(alloc, AWS_CRYPTOSDK_DECRYPT, kms_keyring); aws_cryptosdk_keyring_release(kms_keyring); /* Limit encrypted data keys */ aws_cryptosdk_session_set_max_encrypted_data_keys(session, 3); /* Decrypt */ size_t ciphertext_consumed_output; aws_cryptosdk_session_process(session, plaintext_output, plaintext_buf_sz_output, &plaintext_len_output, ciphertext_input, ciphertext_len_input, &ciphertext_consumed_output); assert(aws_cryptosdk_session_is_done(session)); assert(ciphertext_consumed == ciphertext_len); - C# / .NET
-
若要限制 AWS Encryption SDK 適用於 .NET 的 中的加密資料金鑰,請執行個體化 AWS Encryption SDK 適用於 .NET 的 用戶端,並將其選用
MaxEncryptedDataKeys參數設定為所需的值。然後,在設定的 AWS Encryption SDK 執行個體上呼叫Decrypt()方法。// Decrypt with limited data keys // Instantiate the material providers var materialProviders = AwsCryptographicMaterialProvidersFactory.CreateDefaultAwsCryptographicMaterialProviders(); // Configure the commitment policy on the AWS Encryption SDK instance var config = new AwsEncryptionSdkConfig { MaxEncryptedDataKeys = 3 }; var encryptionSdk = AwsEncryptionSdkFactory.CreateAwsEncryptionSdk(config); // Create the keyring string keyArn = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"; var createKeyringInput = new CreateAwsKmsKeyringInput { KmsClient = new AmazonKeyManagementServiceClient(), KmsKeyId = keyArn }; var decryptKeyring = materialProviders.CreateAwsKmsKeyring(createKeyringInput); // Decrypt the ciphertext var decryptInput = new DecryptInput { Ciphertext = ciphertext, Keyring = decryptKeyring }; var decryptOutput = encryptionSdk.Decrypt(decryptInput); - AWS Encryption CLI
-
# Decrypt with limited encrypted data keys$aws-encryption-cli --decrypt \ --input hello.txt.encrypted \ --wrapping-keys key=$key_arn1 key=$key_arn2 key=$key_arn3 \ --buffer \ --max-encrypted-data-keys 3 \ --encryption-context purpose=test \ --metadata-output ~/metadata \ --output . - Java
-
// Construct a client with limited encrypted data keys final AwsCrypto crypto = AwsCrypto.builder() .withMaxEncryptedDataKeys(3) .build(); // Create an AWS KMS master key provider final KmsMasterKeyProvider keyProvider = KmsMasterKeyProvider.builder() .buildStrict(keyArn1, keyArn2, keyArn3); // Decrypt final CryptoResult<byte[], KmsMasterKey> decryptResult = crypto.decryptData(keyProvider, ciphertext) - JavaScript Browser
-
// Construct a client with limited encrypted data keys const { encrypt, decrypt } = buildClient({ maxEncryptedDataKeys: 3 }) declare const credentials: { accessKeyId: string secretAccessKey: string sessionToken: string } const clientProvider = getClient(KMS, { credentials: { accessKeyId, secretAccessKey, sessionToken } }) // Create an AWS KMS keyring const keyring = new KmsKeyringBrowser({ clientProvider, keyIds: [keyArn1, keyArn2, keyArn3], }) // Decrypt const { plaintext, messageHeader } = await decrypt(keyring, ciphertext) - JavaScript Node.js
-
// Construct a client with limited encrypted data keys const { encrypt, decrypt } = buildClient({ maxEncryptedDataKeys: 3 }) // Create an AWS KMS keyring const keyring = new KmsKeyringBrowser({ keyIds: [keyArn1, keyArn2, keyArn3], }) // Decrypt const { plaintext, messageHeader } = await decrypt(keyring, ciphertext) - Python
-
# Instantiate a client with limited encrypted data keys client = aws_encryption_sdk.EncryptionSDKClient(max_encrypted_data_keys=3) # Create an AWS KMS master key provider master_key_provider = aws_encryption_sdk.StrictAwsKmsMasterKeyProvider( key_ids=[key_arn1, key_arn2, key_arn3]) # Decrypt plaintext, header = client.decrypt(source=ciphertext, key_provider=master_key_provider) - Rust
-
// Instantiate the AWS Encryption SDK client with limited encrypted data keys let esdk_config = AwsEncryptionSdkConfig::builder() .max_encrypted_data_keys(max_encrypted_data_keys) .build()?; let esdk_client = esdk_client::Client::from_conf(esdk_config)?; // Define the key namespace and key name let key_namespace: &str = "HSM_01"; let key_name: &str = "AES_256_012"; // Instantiate the material providers library let mpl_config = MaterialProvidersConfig::builder().build()?; let mpl = mpl_client::Client::from_conf(mpl_config)?; // Generate `max_encrypted_data_keys` raw AES keyrings to use with your keyring let mut raw_aes_keyrings: Vec<KeyringRef> = vec![]; assert!(max_encrypted_data_keys > 0, "max_encrypted_data_keys MUST be greater than 0"); let mut i = 0; while i < max_encrypted_data_keys { let aes_key_bytes = generate_aes_key_bytes(); let raw_aes_keyring = mpl .create_raw_aes_keyring() .key_name(key_name) .key_namespace(key_namespace) .wrapping_key(aes_key_bytes) .wrapping_alg(AesWrappingAlg::AlgAes256GcmIv12Tag16) .send() .await?; raw_aes_keyrings.push(raw_aes_keyring); i += 1; } // Create a Multi Keyring with `max_encrypted_data_keys` AES Keyrings let generator_keyring = raw_aes_keyrings.remove(0); let multi_keyring = mpl .create_multi_keyring() .generator(generator_keyring) .child_keyrings(raw_aes_keyrings) .send() .await?; - Go
-
import ( "context" mpl "aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygenerated" mpltypes "aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygeneratedtypes" client "github.com/aws/aws-encryption-sdk/awscryptographyencryptionsdksmithygenerated" esdktypes "github.com/aws/aws-encryption-sdk/awscryptographyencryptionsdksmithygeneratedtypes" ) // Instantiate the AWS Encryption SDK client with limited encrypted data keys encryptionClient, err := client.NewClient(esdktypes.AwsEncryptionSdkConfig{ MaxEncryptedDataKeys: &maxEncryptedDataKeys, }) if err != nil { panic(err) } // Define the key namespace and key name var keyNamespace = "HSM_01" var keyName = "RSA_2048_06" // Instantiate the material providers library matProv, err := mpl.NewClient(mpltypes.MaterialProvidersConfig{}) if err != nil { panic(err) } // Generate `maxEncryptedDataKeys` raw AES keyrings to use with your keyring rawAESKeyrings := make([]mpltypes.IKeyring, 0, maxEncryptedDataKeys) var i int64 = 0 for i < maxEncryptedDataKeys { key, err := generate256KeyBytesAES() if err != nil { panic(err) } aesKeyRingInput := mpltypes.CreateRawAesKeyringInput{ KeyName: keyName, KeyNamespace: keyNamespace, WrappingKey: key, WrappingAlg: mpltypes.AesWrappingAlgAlgAes256GcmIv12Tag16, } aesKeyring, err := matProv.CreateRawAesKeyring(context.Background(), aesKeyRingInput) if err != nil { panic(err) } rawAESKeyrings = append(rawAESKeyrings, aesKeyring) i++ } // Create a Multi Keyring with `max_encrypted_data_keys` AES Keyrings createMultiKeyringInput := mpltypes.CreateMultiKeyringInput{ Generator: rawAESKeyrings[0], ChildKeyrings: rawAESKeyrings[1:], } multiKeyring, err := matProv.CreateMultiKeyring(context.Background(), createMultiKeyringInput) if err != nil { panic(err) }
建立探索篩選條件
解密使用 KMS 金鑰加密的資料時,最佳實務是以嚴格模式解密,也就是將所使用的包裝金鑰限制為您指定的金鑰。不過,如有必要,您也可以在探索模式中解密,其中不指定任何包裝金鑰。在此模式中, AWS KMS 可以使用加密資料金鑰的 KMS 金鑰來解密加密的資料金鑰,無論誰擁有或可存取該 KMS 金鑰。
如果您必須在探索模式中解密,建議您一律使用探索篩選條件,這會限制 KMS 金鑰,可用於指定 AWS 帳戶 和 分割區中的金鑰。探索篩選條件是選用的,但這是最佳實務。
使用下表來判斷探索篩選條件的分割區值。
| 區域 | 分區 |
|---|---|
| AWS 區域 | aws |
| 中國區域 | aws-cn |
| AWS GovCloud (US) Regions | aws-us-gov |
本節中的範例示範如何建立探索篩選條件。使用程式碼之前,請將範例值取代為 AWS 帳戶 和 分割區的有效值。
- C
-
如需完整範例,請參閱 中的 kms_discovery.cpp
適用於 C 的 AWS Encryption SDK。 /* Create a discovery filter for an AWS account and partition */ const char *account_id = "111122223333"; const char *partition = "aws"; const std::shared_ptr<Aws::Cryptosdk::KmsKeyring::DiscoveryFilter> discovery_filter = Aws::Cryptosdk::KmsKeyring::DiscoveryFilter::Builder(partition).AddAccount(account_id).Build(); - C# / .NET
-
如需完整範例,請參閱 AWS Encryption SDK 《 for .NET》中的 DiscoveryFilterExample.cs
。 // Create a discovery filter for an AWS account and partition List<string> account = new List<string> { "111122223333" }; DiscoveryFilter exampleDiscoveryFilter = new DiscoveryFilter() { AccountIds = account, Partition = "aws" } - AWS Encryption CLI
-
# Decrypt in discovery mode with a discovery filter $ aws-encryption-cli --decrypt \ --input hello.txt.encrypted \ --wrapping-keys discovery=true \ discovery-account=111122223333\ discovery-partition=aws\ --encryption-context purpose=test \ --metadata-output ~/metadata \ --max-encrypted-data-keys 1 \ --buffer \ --output . - Java
-
如需完整範例,請參閱 中的 DiscoveryDecryptionExample.java
適用於 JAVA 的 AWS Encryption SDK。 // Create a discovery filter for an AWS account and partition DiscoveryFilter discoveryFilter = new DiscoveryFilter("aws",111122223333); - JavaScript (Node and Browser)
-
如需完整範例,請參閱 中的 kms_filtered_discovery.ts
(Node 適用於 JavaScript 的 AWS Encryption SDK.js) 和 kms_multi_region_discovery.ts (瀏覽器)。 /* Create a discovery filter for an AWS account and partition */ const discoveryFilter = { accountIDs: ['111122223333'], partition: 'aws', } - Python
-
如需完整範例,請參閱 中的 discovery_kms_provider.py
適用於 Python 的 AWS Encryption SDK。 # Create the discovery filter and specify the region decrypt_kwargs = dict( discovery_filter=DiscoveryFilter(account_ids="111122223333", partition="aws"), discovery_region="us-west-2", ) - Rust
-
let discovery_filter = DiscoveryFilter::builder() .account_ids(vec![111122223333.to_string()]) .partition("aws".to_string()) .build()?; - Go
-
import ( mpltypes "aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygeneratedtypes" ) discoveryFilter := mpltypes.DiscoveryFilter{ AccountIds: []string{111122223333}, Partition: "aws", }
設定所需的加密內容 CMM
您可以使用所需的加密內容 CMM,在密碼編譯操作中要求加密內容。加密內容是一組非秘密金鑰值對。加密內容以加密方式繫結至加密的資料,因此需要相同的加密內容才能解密 欄位。當您使用必要的加密內容 CMM 時,您可以指定一或多個必要的加密內容金鑰 (必要的金鑰),這些金鑰必須包含在所有加密和解密呼叫中。
注意
必要的加密內容 CMM 僅支援下列版本:
-
3.x 版 適用於 JAVA 的 AWS Encryption SDK
-
AWS Encryption SDK 適用於 .NET 的 4.x 版
-
4.x 版 適用於 Python 的 AWS Encryption SDK,與選用的加密材料提供者程式庫
(MPL) 相依性搭配使用時。 -
適用於 Go 的 0.1.x AWS Encryption SDK 版或更新版本
如果您使用必要的加密內容 CMM 加密資料,您只能使用其中一個支援的版本來解密資料。
在加密時, AWS Encryption SDK 會驗證所有必要的加密內容金鑰是否包含在您指定的加密內容中。會 AWS Encryption SDK 簽署您指定的加密內容。只有非必要金鑰的鍵值對才會序列化,並以純文字存放在加密操作傳回的加密訊息標頭中。
在解密時,您必須提供加密內容,其中包含代表必要金鑰的所有金鑰值對。 AWS Encryption SDK 使用此加密內容和存放在加密訊息標頭中的金鑰值對,來重建您在加密操作中指定的原始加密內容。如果 AWS Encryption SDK 無法重建原始加密內容,則解密操作會失敗。如果您提供的金鑰值對包含具有不正確值的必要金鑰,則無法解密加密的訊息。您必須提供與加密時指定的相同鍵/值對。
重要
仔細考慮您在加密內容中為必要金鑰選擇哪些值。您必須能夠在解密時再次提供相同的金鑰及其對應的值。如果您無法重現所需的金鑰,則無法解密加密的訊息。
下列範例會使用所需的加密內容 CMM 初始化 AWS KMS keyring。
- C# / .NET
-
var encryptionContext = new Dictionary<string, string>() { {"encryption", "context"}, {"is not", "secret"}, {"but adds", "useful metadata"}, {"that can help you", "be confident that"}, {"the data you are handling", "is what you think it is"} }; // Instantiate the AWS Encryption SDK and material providers var esdk = new ESDK(new AwsEncryptionSdkConfig()); var mpl = new MaterialProviders(new MaterialProvidersConfig()); // Instantiate the keyring input object var createKeyringInput = new CreateAwsKmsKeyringInput { KmsClient = new AmazonKeyManagementServiceClient(), KmsKeyId = kmsKey }; // Create the keyring var kmsKeyring = mpl.CreateAwsKmsKeyring(createKeyringInput); var createCMMInput = new CreateRequiredEncryptionContextCMMInput { UnderlyingCMM = mpl.CreateDefaultCryptographicMaterialsManager(new CreateDefaultCryptographicMaterialsManagerInput{Keyring = kmsKeyring}), // If you pass in a keyring but no underlying cmm, it will result in a failure because only cmm is supported. RequiredEncryptionContextKeys = new List<string>(encryptionContext.Keys) }; // Create the required encryption context CMM var requiredEcCMM = mpl.CreateRequiredEncryptionContextCMM(createCMMInput); - Java
-
// Instantiate the AWS Encryption SDK final AwsCrypto crypto = AwsCrypto.builder() .withCommitmentPolicy(CommitmentPolicy.RequireEncryptRequireDecrypt) .build(); // Create your encryption context final Map<String, String> encryptionContext = new HashMap<>(); encryptionContext.put("encryption", "context"); encryptionContext.put("is not", "secret"); encryptionContext.put("but adds", "useful metadata"); encryptionContext.put("that can help you", "be confident that"); encryptionContext.put("the data you are handling", "is what you think it is"); // Create a list of required encryption contexts final List<String> requiredEncryptionContextKeys = Arrays.asList("encryption", "context"); // Create the keyring final MaterialProviders materialProviders = MaterialProviders.builder() .MaterialProvidersConfig(MaterialProvidersConfig.builder().build()) .build(); final CreateAwsKmsKeyringInput keyringInput = CreateAwsKmsKeyringInput.builder() .kmsKeyId(keyArn) .kmsClient(KmsClient.create()) .build(); IKeyring kmsKeyring = materialProviders.CreateAwsKmsKeyring(keyringInput); // Create the required encryption context CMM ICryptographicMaterialsManager cmm = materialProviders.CreateDefaultCryptographicMaterialsManager( CreateDefaultCryptographicMaterialsManagerInput.builder() .keyring(kmsKeyring) .build() ); ICryptographicMaterialsManager requiredCMM = materialProviders.CreateRequiredEncryptionContextCMM( CreateRequiredEncryptionContextCMMInput.builder() .requiredEncryptionContextKeys(requiredEncryptionContextKeys) .underlyingCMM(cmm) .build() ); - Python
-
若要 適用於 Python 的 AWS Encryption SDK 搭配必要的加密內容 CMM 使用 ,您還必須使用材料提供者程式庫 (MPL)。
# Instantiate the AWS Encryption SDK client client = aws_encryption_sdk.EncryptionSDKClient( commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT) # Create your encryption context encryption_context: Dict[str, str] = { "key1": "value1", "key2": "value2", "requiredKey1": "requiredValue1", "requiredKey2": "requiredValue2" } # Create a list of required encryption context keys required_encryption_context_keys: List[str] = ["requiredKey1", "requiredKey2"] # Instantiate the material providers library mpl: AwsCryptographicMaterialProviders = AwsCryptographicMaterialProviders( config=MaterialProvidersConfig() ) # Create the AWS KMS keyring keyring_input: CreateAwsKmsKeyringInput = CreateAwsKmsKeyringInput( kms_key_id=kms_key_id, kms_client=boto3.client('kms', region_name="us-west-2") ) kms_keyring: IKeyring = mpl.create_aws_kms_keyring(keyring_input) # Create the required encryption context CMM underlying_cmm: ICryptographicMaterialsManager = \ mpl.create_default_cryptographic_materials_manager( CreateDefaultCryptographicMaterialsManagerInput( keyring=kms_keyring ) ) required_ec_cmm: ICryptographicMaterialsManager = \ mpl.create_required_encryption_context_cmm( CreateRequiredEncryptionContextCMMInput( required_encryption_context_keys=required_encryption_context_keys, underlying_cmm=underlying_cmm, ) ) - Rust
-
// Instantiate the AWS Encryption SDK client let esdk_config = AwsEncryptionSdkConfig::builder().build()?; let esdk_client = esdk_client::Client::from_conf(esdk_config)?; // Create an AWS KMS client let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await; let kms_client = aws_sdk_kms::Client::new(&sdk_config); // Create your encryption context let encryption_context = HashMap::from([ ("key1".to_string(), "value1".to_string()), ("key2".to_string(), "value2".to_string()), ("requiredKey1".to_string(), "requiredValue1".to_string()), ("requiredKey2".to_string(), "requiredValue2".to_string()), ]); // Create a list of required encryption context keys let required_encryption_context_keys: Vec<String> = vec![ "requiredKey1".to_string(), "requiredKey2".to_string(), ]; // Instantiate the material providers library let mpl_config = MaterialProvidersConfig::builder().build()?; let mpl = mpl_client::Client::from_conf(mpl_config)?; // Create the AWS KMS keyring let kms_keyring = mpl .create_aws_kms_keyring() .kms_key_id(kms_key_id) .kms_client(kms_client) .send() .await?; kms_multi_keyring: IKeyring = mat_prov.create_aws_kms_multi_keyring( input=kms_multi_keyring_input ) // Create the required encryption context CMM let underlying_cmm = mpl .create_default_cryptographic_materials_manager() .keyring(kms_keyring) .send() .await?; let required_ec_cmm = mpl .create_required_encryption_context_cmm() .underlying_cmm(underlying_cmm.clone()) .required_encryption_context_keys(required_encryption_context_keys) .send() .await?; - Go
-
import ( "context" mpl "aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygenerated" mpltypes "aws/aws-cryptographic-material-providers-library/releases/go/mpl/awscryptographymaterialproviderssmithygeneratedtypes" client "github.com/aws/aws-encryption-sdk/awscryptographyencryptionsdksmithygenerated" esdktypes "github.com/aws/aws-encryption-sdk/awscryptographyencryptionsdksmithygeneratedtypes" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/kms" ) // Instantiate the AWS Encryption SDK client encryptionClient, err := client.NewClient(esdktypes.AwsEncryptionSdkConfig{}) if err != nil { panic(err) } // Create an AWS KMS client cfg, err := config.LoadDefaultConfig(context.TODO()) if err != nil { panic(err) } kmsClient := kms.NewFromConfig(cfg, func(o *kms.Options) { o.Region = defaultKmsKeyRegion }) // Create an encryption context encryptionContext := map[string]string{ "encryption": "context", "is not": "secret", "but adds": "useful metadata", "that can help you": "be confident that", "the data you are handling": "is what you think it is", } // Create a list of required encryption context keys requiredEncryptionContextKeys := []string{} requiredEncryptionContextKeys = append(requiredEncryptionContextKeys, "requiredKey1", "requiredKey2") // Instantiate the material providers library matProv, err := mpl.NewClient(mpltypes.MaterialProvidersConfig{}) if err != nil { panic(err) } // Create the AWS KMS keyring awsKmsKeyringInput := mpltypes.CreateAwsKmsKeyringInput{ KmsClient: kmsClient, KmsKeyId: utils.GetDefaultKMSKeyId(), } awsKmsKeyring, err := matProv.CreateAwsKmsKeyring(context.Background(), awsKmsKeyringInput) if err != nil { panic(err) } // Create the required encryption context CMM underlyingCMM, err := matProv.CreateDefaultCryptographicMaterialsManager(context.Background(), mpltypes.CreateDefaultCryptographicMaterialsManagerInput{Keyring: awsKmsKeyring}) if err != nil { panic(err) } requiredEncryptionContextInput := mpltypes.CreateRequiredEncryptionContextCMMInput{ UnderlyingCMM: underlyingCMM, RequiredEncryptionContextKeys: requiredEncryptionContextKeys, } requiredEC, err := matProv.CreateRequiredEncryptionContextCMM(context.Background(), requiredEncryptionContextInput) if err != nil { panic(err) }
設定承諾政策
承諾政策是一種組態設定,可判斷您的應用程式是否使用金鑰承諾來加密和解密。使用金鑰承諾進行加密和解密是AWS Encryption SDK 最佳實務。
設定和調整您的承諾政策是將 1.7.x 版和更早版本遷移 AWS Encryption SDK 至 2.0.x 版和更新版本的關鍵步驟。此進度會在遷移主題中詳細說明。
最新版本 AWS Encryption SDK (從 2.0.x 版開始) 中的預設承諾政策值RequireEncryptRequireDecrypt非常適合大多數情況。不過,如果您需要解密加密的加密文字,而沒有金鑰承諾,您可能需要將承諾政策變更為 RequireEncryptAllowDecrypt。如需如何在每種程式設計語言中設定承諾政策的範例,請參閱設定您的承諾政策。
使用串流資料
當您串流資料進行解密時,請注意,在完整性檢查完成後但在驗證數位簽章之前, 會 AWS Encryption SDK 傳回解密的純文字。若要確保在驗證簽章之前不會傳回或使用純文字,建議您緩衝串流純文字,直到整個解密程序完成為止。
只有在您串流加密文字進行解密,而且只有在您使用演算法套件時,例如包含數位簽章的預設演算法套件時,才會發生此問題。
為了簡化緩衝,某些 AWS Encryption SDK 語言實作,例如在 Node.js 適用於 JavaScript 的 AWS Encryption SDK 中,在解密方法中包含緩衝功能。 AWS 加密 CLI 一律串流輸入和輸出,在 1.9.x 版和 2.2.x 版中引入--buffer參數。在其他語言實作中,您可以使用現有的緩衝功能。(適用於 .NET AWS Encryption SDK 的 不支援串流。)
如果您使用的是沒有數位簽章的演算法套件,請務必在每個語言實作中使用 decrypt-unsigned功能。此功能會解密加密文字,但如果遇到簽署的加密文字就會失敗。如需詳細資訊,請參閱 選擇演算法套件。
快取資料金鑰
一般而言,不鼓勵重複使用資料金鑰,但 AWS Encryption SDK 提供資料金鑰快取選項,可提供有限的資料金鑰重複使用。資料金鑰快取可以改善某些應用程式的效能,並減少對金鑰基礎設施的呼叫。在生產環境中使用資料金鑰快取之前,請調整安全閾值,並測試 ,以確保優點大於重複使用資料金鑰的缺點。
