AWS KMS --encryption-context understanding

Owned by Karl Henselin
Feb 19, 2024
4 min read

Detail About Encryption Context

Encryption context an optional set of non-secret key–value pairs that can contain additional contextual information while encrypting the data. The same encryption context is required to decrypt the data as well. If the encryption context provided in the decryption request is not an exact, case-sensitive match, the decrypt request fails.

We can Specify the encryption context that will be used to encrypt the data. An encryption context is valid only for cryptographic operations with a symmetric encryption KMS key. The standard asymmetric encryption algorithms and HMAC algorithms that KMS uses do not support an encryption context. By default, we will use the Lambda function name in the encryption context. Lambda uses encryption context to decrypt the variables, so it needs to be used when encrypting the values. First, we will convert the value in base64 then we will use the converted value and apply the encrypt command.

Note: AWS Lambda is a service that is integrated with AWS KMS, These services do not support encryption with asymmetric KMS keys. Please follow the link for more detail : https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

aws kms encrypt --key-id arn:aws:kms:us-east-1:*********399:key/749cf958-a304-404a-8a40-b588a316c4d0 --plaintext amRiYzpzcWxzZXJ2ZXI6Ly9sb2NhbGhvc3Q7ZGF0YWJhc2VOYW1lPURiTmFtZTt1c2VyPU15VXNlck5hbWU7cGFzc3dvcmQ9KioqKio7 --encryption-context LambdaFunctionName=basic-lambda { "CiphertextBlob": "AQICAHjeJdzKgoHHc7qzSTWuO/WL395m9/Z10qBGg8vz3cD8UQEn3j29CcrhrpzUrVITyK7KAAAAsDCBrQYJKoZIhvcNAQcGoIGfMIGcAgEAMIGWBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDBz7JpWVuAsCRGYiNAIBEIBpmv41ldrFsC7ebYKmATSBclAXQajtH2nqQfErlTOT3rMFA5EfntUOCieXIMlyg5nWn3D+Qsu6f5Yn808H4PBLQsr7iVkiD77DU9bG5OFLusEE9cY+Xe2s5mgozWP1OKB7uR3KhaDNeHTz", "KeyId": "arn:aws:kms:us-east-1:*********399:key/749cf958-a304-404a-8a40-b588a316c4d0", "EncryptionAlgorithm": "SYMMETRIC_DEFAULT" }

Some Tested Scenarios with example

Encrypt without using the encryption context and decrypt inside Lambda function

  • Encrypting using the CLI command.

aws kms encrypt --key-id arn:aws:kms:us-east-1:*********399:key/749cf958-a304-404a-8a40-b588a316c4d0 --plaintext amRiYzpzcWxzZXJ2ZXI6Ly9sb2NhbGhvc3Q7ZGF0YWJhc2VOYW1lPURiTmFtZTt1c2VyPU15VXNlck5hbWU7cGFzc3dvcmQ9KioqKio7 { "CiphertextBlob": "AQICAHjeJdzKgoHHc7qzSTWuO/WL395m9/Z10qBGg8vz3cD8UQEejxRcYU4RiA+gJibF7OvgAAAAsDCBrQYJKoZIhvcNAQcGoIGfMIGcAgEAMIGWBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDCwPpAEdt8V7M9MzkwIBEIBpCn3SeoiIwlRRvc3QOFUEgmYQGVHyEpS19I7U/Ih0V1G/MKVMqcnUUcNI3tSGwjpMUGqcvFaUAg4F5aOm3V3UHJ6T5JfobDARzzYaxLlLfPQdHPgvSc2hUcu8qyVlUAeAtiH0tOSY7C2h", "KeyId": "arn:aws:kms:us-east-1:*********399:key/749cf958-a304-404a-8a40-b588a316c4d0", "EncryptionAlgorithm": "SYMMETRIC_DEFAULT" }

  • Next we updated the CiphertextBlob data in Lambda environment variable.

  • Trying to decrypt the variable and converting it into plain text. We used the sample Lambda decryption code provided by AWS.

  • The decryption failed because while encrypting we didn’t use --encryption-context, to encrypt the environment variable. However as per above highlighted section in code, it validates the EncryptionContext.

Encrypt using the encryption context (using Function Name) and decrypt inside Lambda function

  • Encrypting using the CLI command.

aws kms encrypt --key-id arn:aws:kms:us-east-1:*********399:key/749cf958-a304-404a-8a40-b588a316c4d0 --plaintext amRiYzpzcWxzZXJ2ZXI6Ly9sb2NhbGhvc3Q7ZGF0YWJhc2VOYW1lPURiTmFtZTt1c2VyPU15VXNlck5hbWU7cGFzc3dvcmQ9KioqKio7 --encryption-context LambdaFunctionName=basic-lambda { "CiphertextBlob": "AQICAHjeJdzKgoHHc7qzSTWuO/WL395m9/Z10qBGg8vz3cD8UQF7qcML94BCYhZJsKA+8ehDAAAAsDCBrQYJKoZIhvcNAQcGoIGfMIGcAgEAMIGWBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDGvBZdE5WDoEVnn1VAIBEIBpc6BolF9igsVQINk2I3qbC7e+cHsUYUx6ZOBqeXLcoGPDuHWGUjc4XH5kILDRoPgD2Vnrh3ebKKdmlxY2oMiRjPufzdEg0S8SYwyVtxqhPxz85bTDVGb56JuSqSckvNBd+8R9OSGodpez", "KeyId": "arn:aws:kms:us-east-1:*********399:key/749cf958-a304-404a-8a40-b588a316c4d0", "EncryptionAlgorithm": "SYMMETRIC_DEFAULT" }

  • Next we updated the CiphertextBlob data in Lambda environment variable.

  • Trying to decrypt the variable and converting it into plain text.

  • Decryption successfully completed because this time while encrypting we used --encryption-context.

Adding another Context variable key1=value1 while encrypting however not updating the Encryption Context validation inside Lambda function

  • Encrypting using the CLI command.

  • Next we updated the CiphertextBlob data in Lambda environment variable.

  • Trying to decrypt the variable, without updating the Encryption context detail in code and converting it into plain text.

  • The decryption failed because we have not updated the Encryption Context in our code.

  • Updated the Encryption Context, we added the extra key element.

  • Decryption successfully completed because this time updated the Encryption Context.

Execution role policy

  • To grant our function permission to call the Decrypt operation, we need to add the following policy to the Lambda function execution role. This is the same policy sample provided in AWS Lambda.

  • Let’s try to understand bit more. We have a Condition option in the policy in which we are using the StringEquals function to validate the encryption context. Here in the policy we are validating if the LambdaFunctionName (encryption context) equals to basic-lambda. Basically this is how the Lambda infra will understand which KeyID to use for decrypting based on mentioned condition.

  • We add validation on both encryption context variables which we have configured in previous use case. This worked perfectly fine.

  • Next added one more entry in policy condition. Using this policy

  • Using the above policy decryption will fail because the StringEquals condition is not satisfied.

The following macros are not currently supported in the footer:
  • style