AWS CMK vs Data Key clarification question

1
votes

I am new to AWS, and I was hoping someone can clarify something for me regarding encryption.

I was reading the AWS document on Amazon EBS encryption, and in the document, under the section "How EBS encryption works" I noticed one of the steps is "Amazon EBS sends a GenerateDataKeyWithoutPlaintext request to AWS KMS, specifying the CMK to use to encrypt the volume"

Isnt the CMK supposed to encrypt the data key that is then used to encrypt the volume? This is due to the fact that the CMK cannot encrypt data that is more than 4KB in size.

The way that I understand it is that, the CMK (sitting in KMS) will encrypt the data key which does not have the size limit CMK has, and the data key would then be encrypting the volume of the EC2 instance and sitting on the same encrypted volume because the data key itself is also encrypted.

Did I not understand that step correctly?

Link to the document: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html?icmpid=docs_ec2_console

1
amazon-ec2amazon-ebsamazon-kms

1 Answers

1
votes

Yes, you are correct that the data key will be used to encrypt the volume [and the CMK itself will not be used directly]. I believe the statement you quoted:

Amazon EBS sends a GenerateDataKeyWithoutPlaintext request to AWS KMS, specifying the CMK that you chose for volume encryption.

can be interpreted as: EBS calls GenerateDataKeyWithoutPlaintext API and to get a data key from KMS, EBS needs to specify the CMK. The KeyId is a required parameter for the GenerateDataKeyWithoutPlaintext API. I believe the next step (stated below) in the document does state it and clears the confusion.

AWS KMS generates a new data key, encrypts it under the CMK that you chose for volume encryption, and sends the encrypted data key to Amazon EBS to be stored with the volume metadata.

This AWS Forum post is pretty interesting if you want to know why GenerateDataKeyWithoutPlaintext is called instead of GenerateDataKey.