How to encrypt and decrypt using AWS KMS key in python with boto3

Last updated 7 months, 2 weeks ago | 526 views 75     5

Python | Encrypt and Decrypt using AWS KMS key in python with boto3

This is an example of how to encrypt and decrypt a text using the AWS KMS key. In this, we will use encrypt() and decrypt() function to encrypt and decrypt any text.

These are some necessary items that let you do the encrypt and decrypt

import boto3

KEY_ID = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
AWS_ACCESS_KEY_ID = 'some-access-key-id'
AWS_SECRET_ACCESS_KEY = 'some-aws-secret-access-key'
REGION_NAME = 'eu-west-1'

Now creating a botocore.client.KMS object

kms_client = boto3.client(
    'kms',
    aws_access_key_id=AWS_ACCESS_KEY_ID,
    aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
    region_name=REGION_NAME
)

let's check kms_client

print(kms_client)
#Output: <botocore.client.KMS object at 0x000001A673B08438>

print(type(kms_client))
#Output: <class 'botocore.client.KMS'>

Encryption

Now with the help of encrypt() function, we will encrypt a text. It will return a dictionary having encrypted data in CiphertextBlob

data = kms_client.encrypt(
                KeyId=KEY_ID,
                Plaintext='hello!',
                EncryptionAlgorithm='SYMMETRIC_DEFAULT'
            )

Let's check the data

print(data)

'''
Output :

{
    'CiphertextBlob': b'\x01\x02\x02\x00x\xce?&4\x96t\x05J\xc8\x1a_\x000M\x06\t*\x86H\x86\xf7\xd5B\xdd\x198\xa7\x8e\x12-\xab\xae\xef\xd6jFI\x01_)IU\xd1\xe8zs\xce\xfa\x00\x91\x95\x00`\x07=\x00\x00c0a\x06\t*\x86H\x86\xf7\r\x01\x07\x06\xa0T0R\x02\x01\r\x01\x07\x010\x1eee\x06\t`\x86H\x01e\x03\x04\x01.0\x11\x04\x0cbI#\xa6\x9a&\xd6x\xf7\x16u\xa6\x02\x01\x10\x80\x000M\x06\t*\x86H\x86\xf7 \x97\x10e\x05\x05\x1d\xba\x96\xf6\x9f\x8e\x8b\xedU\r&2u\xaf%!\x000M\x06\t*\x86H\x86\xf7xfb\xbf\xa1',
    'KeyId': 'arn:aws:kms:eu-west-1:444444444444:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
    'EncryptionAlgorithm': 'SYMMETRIC_DEFAULT',
    'ResponseMetadata': {
        'RequestId': '22b6022a-3cca-4444-a333-0a621b99fa39',
        'HTTPStatusCode': 200,
        'HTTPHeaders': {
            'x-amzn-requestid': '22b6022a-3cca-4444-a333-0a621b99fa39',
            'cache-control': 'no-cache, no-store, must-revalidate, private',
            'expires': '0',
            'pragma': 'no-cache',
            'date': 'Tue, 13 Apr 2020 08:11:41 GMT',
            'content-type': 'application/x-amz-json-1.1',
            'content-length': '361'
        },
        'RetryAttempts': 0}
}
'''

Now encode the encrypted data with base64

encoded_data = base64.b64encode(data['CiphertextBlob'])
print(encoded_data)
# Output
#b'AQICAHjImd0bXTPOPyY0lnQFShpf1kgBZQMEAS4wEQQMVe6DULdGTinjhItq67v1mpGSQEptPmGwQ60v0i03Us/NGc4AAAAYzBhBgkqhkiG9w0BBwag6z26cZ0HNnAxKWBVDBSAgEAME0GCSqGSIb3DQEHATAeBglgh9yqP4or8B2I4AgEQgCCKgZAgnYVqV9XqfTSAl/2BWWGHU+w=='

Decryption

now lets decrypt the encrypted data using decrypt() function. It takes the encrypted CiphertextBlob data and returns the plaintext. As the encrypted data is encoded with base64, so it is required to decode the encoded text before passing it to the decrypt() function.

decrypted_data= kms_client.decrypt(CiphertextBlob=base64.b64decode(encoded_data))

let's check decrypted_data

print(decrypted_data)

'''
Output :
{
    'KeyId': 'arn:aws:kms:eu-west-1:444444444444:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
    'Plaintext': b'hello!',
    'EncryptionAlgorithm': 'SYMMETRIC_DEFAULT',
    'ResponseMetadata': {
        'RequestId': '11f000da-44e9-999b-8a80-289dc4a88888',
        'HTTPStatusCode': 200,
        'HTTPHeaders': {
            'x-amzn-requestid': '11f000da-44e9-999b-8a80-289dc4a88888',
            'cache-control': 'no-cache, no-store, must-revalidate, private',
            'expires': '0',
            'pragma': 'no-cache',
            'date': 'Tue, 13 Apr 2020 08:30:45 GMT',
            'content-type': 'application/x-amz-json-1.1',
            'content-length': '152'
        },
        'RetryAttempts': 0
    }
}
'''

Get the plain text only

print(decrypted_data['Plaintext'])

# Output: b'hello!'