AWS KMS Encryption - Limits of Data Size

2
votes

I am trying to encrypt a large XML payload using AWS KMS Encryption SDK. I came across this link which states that there is a limit on bytes of data that can be encrypted

You can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data such as an RSA key, a database password, or other sensitive information.

Does KMS not support encryption of data that is more than 4 KB? Is there a workaround to handle data of size more than 4 KB?

1
amazon-web-servicesencryptionaws-kms
I'm not familiar with the API but it sounds like it is basically for encrypting keys or key-like entities like passwords, etc. Just a few lines down it says "Also, you don't need to use this operation to encrypt data in your application. You can use the plaintext and encrypted data keys that the GenerateDataKey operation returns"President James K. Polk
Thanks @JamesKPolk. I already have the keys created and have the key arns with me. Can't I use to encrypt a large xml payload?Punter Vicky
You would use KMS to manage (get) your encryption key. Then you write your own encryption routines that use the key. AES encryption examples are everywhere. AWS also has the encryption SDK: docs.aws.amazon.com/encryption-sdk/latest/developer-guide/…John Hanley
Thanks @JohnHanley if I use AWS encryption SDK will I be limited by the 4KB limit or will I be able to encrypt data of any size?Punter Vicky
Any size. Note: encryption is very easy to get wrong (e.g. becomes easier to break). Spend some time understanding how to do encryption correctly OR use a published library to do it for you.John Hanley

1 Answers

10
votes

You are using the CMK to encrypt/decrypt your data which is not what you should be using it for. The CMK is limited to encrypting up to 4k data because it is meant to create and encrypt/decrypt the data key. Once you’ve created this data key you then use it to encrypt your data without the use of AWS KMS. You could use OpenSSL with the data key and this process is not dependent on KMS. Keep in mind that you have to handle the data key very carefully and best practice is once you've used it to encrypt data, you must encrypt that data key using KMS then store that encrypted key (as metadata) along with the encrypted data. The process of decrypting the data will start with you using KMS to decrypt the data key then using OpenSSL for example to use the decrypted data key as the key to decrypt your data(XML Payload).