Obtaining Data Keys using some KMS region master keys and then adding two more regions to get the same Data Key encrypted

0
votes

I am generating a data encryption key implicitly as follows (key IDs used are just representational):

from aws_encryption_sdk import encrypt

# Key provider with only 2 region master keys to begin with
kms_key_provider = KMSMasterKeyProvider(key_ids=[“west-1”, “west-2”])

# encrypt something random only to get the encrypted data keys in the header from those 2 regions

my_ciphertext, encryptor_header = encrypt(source=“somerandomplaintextofnorelevance”, key_provider= kms_key_provider, algorithm=AWSKeyProvider.DEFAULT_ALGORITHM, encryption_context={“somekey”: “some value”})

my_data_keys = []
for dek in encryptor_header.encrypted_data_keys:
    my_data_keys.append(dek.encrypted_data_key)

I get two encrypted Data Encryption Keys (DEK) strings in my_data_keys (say, DEK_enc_west_1 and DEK_enc_west_2) both of which would decrypt to a single plain data encryption key, say, DEK_Plain. Now I can encrypt/decrypt for DEK_Plain in either of the regions for redundancy.

Then, I go on and activate two more master keys in regions east-1 and east-2. Now I want that same DEK_Plain to be also encrypted under those two new region (east-1 & east-2) master keys to get two new encrypted data keys (say, DEK_enc_east_1 and DEK_enc_east_2).

So, with the new fully formed Key Provider like:

kms_key_provider = KMSMasterKeyProvider(key_ids=[“west-1”, “west-2”, “east-1”, “east-2”])

I can get my DEK_Plain from any of these 4 regions using:

my_plain_data_key = kms_key_provider.decrypt_data_key_from_list(…..)

Basically, how can I add additional region master keys to be leveraged for the same data encryption key that was generated and encrypted earlier using some other regions master keys which existed before?

1
aws-kms

1 Answers

0
votes

Looking around in the AWS crypto doc, I find something like the following sample helping my case (though it would have been ideal if KMS key provider implementation had such region extender capability for the data keys:). In the following assume plain_dek is assigned the DEK_Plain from the question above.

new_region_key_id_1 = "arn:aws:kms:us-east-1:XXXXXXXXXX:alias/xyz/master"
new_region_master_key_1 = kms_key_provider.master_key_for_encrypt(new_region_key_id_1)
key_provider_info = {"provider_id": u'aws-kms', "key_info": new_region_key_id_1}
key_provider_info_obj = MasterKeyInfo(**key_provider_info)
plain_dk_raw = RawDataKey(key_provider_info_obj, plain_dek)
encryption_context = {“somekey”: “some value”}
new_encrypted_dek_from_region_new_master_key_1 = new_region_master_key_1.encrypt_data_key(plain_dk_raw, AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, encryption_context)

This can be repeated in loop for any number of new kms regions thereby extending an existing data key to be decrypt'able in broader AWS regions where new master keys were, say, recently added.