1
00:00:00,210 --> 00:00:03,090
‫So let's have a look at the KMS service.

2
00:00:03,090 --> 00:00:04,110
‫And first on the left side

3
00:00:04,110 --> 00:00:06,900
‫I will look at the AWS managed keys.

4
00:00:06,900 --> 00:00:07,733
‫You can see

5
00:00:07,733 --> 00:00:11,190
‫if I've been using KMS encryption throughout this course

6
00:00:11,190 --> 00:00:13,530
‫then these keys will appear right here.

7
00:00:13,530 --> 00:00:17,100
‫So we can look for example, at the AWS EBS.

8
00:00:17,100 --> 00:00:18,810
‫And this is an S managed key

9
00:00:18,810 --> 00:00:21,390
‫because it belongs to the EBS service.

10
00:00:21,390 --> 00:00:23,790
‫So we can have a look here how it's being used.

11
00:00:23,790 --> 00:00:25,672
‫So there is a key policy

12
00:00:25,672 --> 00:00:29,670
‫and this policy defines what can access this key.

13
00:00:29,670 --> 00:00:33,240
‫And of course, because this is an EBS AWS key

14
00:00:33,240 --> 00:00:35,460
‫then you will look at all the actions.

15
00:00:35,460 --> 00:00:38,241
‫So it can come from anywhere, do some kind of actions.

16
00:00:38,241 --> 00:00:43,140
‫But the condition is that the color accounts has to be mine.

17
00:00:43,140 --> 00:00:45,480
‫And the VS service has to be the EC two service

18
00:00:45,480 --> 00:00:48,450
‫which is a service above the EBS service.

19
00:00:48,450 --> 00:00:49,283
‫Okay?

20
00:00:49,283 --> 00:00:50,550
‫If I looked for example

21
00:00:50,550 --> 00:00:55,290
‫at another AWS managed key, for example, the SQS one

22
00:00:55,290 --> 00:00:59,160
‫and look at the key policy here, the via service

23
00:00:59,160 --> 00:01:03,420
‫as a condition to my KMS key policy is the SQS service.

24
00:01:03,420 --> 00:01:07,049
‫Therefore allowing only access from, to KMS

25
00:01:07,049 --> 00:01:09,720
‫from SQS to this key

26
00:01:09,720 --> 00:01:12,030
‫we can also look at the cryptographic configuration

27
00:01:12,030 --> 00:01:15,600
‫which shows that this key is symmetric of origin KMS

28
00:01:15,600 --> 00:01:18,870
‫and it's used to encrypt N decrypt data.

29
00:01:18,870 --> 00:01:19,703
‫Okay.

30
00:01:19,703 --> 00:01:22,260
‫So that's for the KMS managed key by AWS

31
00:01:22,260 --> 00:01:23,820
‫but then we have other accounts.

32
00:01:23,820 --> 00:01:26,280
‫We have the customer managed keys as well

33
00:01:26,280 --> 00:01:27,930
‫as the customer key store.

34
00:01:27,930 --> 00:01:31,020
‫So the customer key store is when we wanna use CloudHSM

35
00:01:31,020 --> 00:01:34,050
‫but this is out of scope for this exam.

36
00:01:34,050 --> 00:01:35,460
‫So we don't go over this.

37
00:01:35,460 --> 00:01:38,370
‫We're just gonna go over the customer manage key.

38
00:01:38,370 --> 00:01:40,620
‫So this is when we want to create our own keys

39
00:01:40,620 --> 00:01:43,860
‫within KMS and not use the ones managed by AWS.

40
00:01:43,860 --> 00:01:45,660
‫So let's create a key, but if we do so

41
00:01:45,660 --> 00:01:48,480
‫remember this gonna cost you $1 per month.

42
00:01:48,480 --> 00:01:51,300
‫So if you don't wanna pay anything, then do not do this.

43
00:01:51,300 --> 00:01:53,250
‫So here for the key type, have multiple options

44
00:01:53,250 --> 00:01:56,310
‫have the symmetric or asymmetric type of key.

45
00:01:56,310 --> 00:01:59,007
‫So if I use asymmetric, this could be used for encrypt

46
00:01:59,007 --> 00:02:02,610
‫and decrypt or sign and verify type of operations

47
00:02:02,610 --> 00:02:04,260
‫but this is out of scope for this lecture.

48
00:02:04,260 --> 00:02:07,560
‫I am going to use the symmetric type of KMS key

49
00:02:07,560 --> 00:02:10,050
‫and we'll use the encrypt and decrypt option.

50
00:02:10,050 --> 00:02:11,940
‫Okay, this is the most basic one.

51
00:02:11,940 --> 00:02:13,470
‫I want to show you,

52
00:02:13,470 --> 00:02:14,820
‫for advanced options.

53
00:02:14,820 --> 00:02:17,430
‫The key origin is going to be KMS

54
00:02:17,430 --> 00:02:19,620
‫because we want KMS to create this key for us.

55
00:02:19,620 --> 00:02:22,980
‫If we wanted to import a key, this will be the external type

56
00:02:22,980 --> 00:02:25,320
‫of key origin or custom key story.

57
00:02:25,320 --> 00:02:26,700
‫If you wanted to have CloudHSM.

58
00:02:26,700 --> 00:02:28,230
‫But again, this is out of scope.

59
00:02:28,230 --> 00:02:30,833
‫So we'll use KMS and here for regionality

60
00:02:30,833 --> 00:02:34,050
‫we have single region key and multi region key

61
00:02:34,050 --> 00:02:36,120
‫and we're just going to consider single region

62
00:02:36,120 --> 00:02:38,602
‫key right now, because this is the most

63
00:02:38,602 --> 00:02:42,240
‫the oldest type of option and the most common for KMS.

64
00:02:42,240 --> 00:02:45,240
‫So we'll use single region key, click on next,

65
00:02:45,240 --> 00:02:46,470
‫next we have a key alias

66
00:02:46,470 --> 00:02:51,120
‫so I'll just have it as tutorial, click on next.

67
00:02:51,120 --> 00:02:54,360
‫And here we can start define key administrators.

68
00:02:54,360 --> 00:02:56,910
‫So if I don't define one, then we're going to

69
00:02:56,910 --> 00:03:00,060
‫use the default KMS key policy, which is what I want.

70
00:03:00,060 --> 00:03:01,770
‫But if you wanted to be very specific

71
00:03:01,770 --> 00:03:05,010
‫about who can use this key and who could administer it

72
00:03:05,010 --> 00:03:07,020
‫this is where it would happen.

73
00:03:07,020 --> 00:03:09,125
‫So right now I'm not going to take anything

74
00:03:09,125 --> 00:03:10,890
‫and click on next.

75
00:03:10,890 --> 00:03:12,570
‫Then you can say, who can use this key?

76
00:03:12,570 --> 00:03:13,403
‫So again, this is

77
00:03:13,403 --> 00:03:16,770
‫for your KMS key policy to be more specific right now.

78
00:03:16,770 --> 00:03:18,510
‫I want to allow everyone to use it

79
00:03:18,510 --> 00:03:21,000
‫if they have the right IAM permissions.

80
00:03:21,000 --> 00:03:23,520
‫But if you wanted to also have some extra security

81
00:03:23,520 --> 00:03:26,520
‫you could say, Hey, only Stephan can use this key.

82
00:03:26,520 --> 00:03:30,270
‫And this would create a custom KMS key policy.

83
00:03:30,270 --> 00:03:32,190
‫But in this instance, I don't want this.

84
00:03:32,190 --> 00:03:33,840
‫And as you can see at the bottom

85
00:03:33,840 --> 00:03:37,770
‫I can choose other AWS accounts to access my key.

86
00:03:37,770 --> 00:03:39,720
‫So this is if you had, for example

87
00:03:39,720 --> 00:03:42,667
‫the use case of sharing an encrypted snapshot

88
00:03:42,667 --> 00:03:44,820
‫an EBS snapshot, for example

89
00:03:44,820 --> 00:03:48,963
‫you would add another account to allow access to your key.

90
00:03:50,033 --> 00:03:52,020
‫So we summarize everything.

91
00:03:52,020 --> 00:03:55,230
‫So we have a symmetric key, and then this is the key policy

92
00:03:55,230 --> 00:03:57,900
‫and this is what I call the default key policy.

93
00:03:57,900 --> 00:03:59,760
‫This is just to enable IAM user permission.

94
00:03:59,760 --> 00:04:03,750
‫So it allows anything to do any resource on KMS, as long

95
00:04:03,750 --> 00:04:07,140
‫as they will have of course, IAM permissions to do so.

96
00:04:07,140 --> 00:04:09,090
‫So let's finish this.

97
00:04:09,090 --> 00:04:10,890
‫And now my key has been created

98
00:04:10,890 --> 00:04:12,573
‫and we can click on view key.

99
00:04:13,560 --> 00:04:15,150
‫So now that my key is created

100
00:04:15,150 --> 00:04:17,610
‫I can have a look at the key policy.

101
00:04:17,610 --> 00:04:20,850
‫And so the key policy is just like this.

102
00:04:20,850 --> 00:04:23,610
‫It's an IAM policy for your key, but you can switch

103
00:04:23,610 --> 00:04:26,874
‫to the default view and you can see in a better summary

104
00:04:26,874 --> 00:04:28,686
‫like who are the key administrators?

105
00:04:28,686 --> 00:04:31,537
‫Is it allowed for key deletion, who are the key users

106
00:04:31,537 --> 00:04:34,200
‫and can other accounts access it?

107
00:04:34,200 --> 00:04:35,520
‫So I won't touch this.

108
00:04:35,520 --> 00:04:38,160
‫Then you can have a look at the cryptographic configuration.

109
00:04:38,160 --> 00:04:40,620
‫I won't touch this, tags not needed.

110
00:04:40,620 --> 00:04:41,910
‫Key rotation is very important.

111
00:04:41,910 --> 00:04:44,760
‫So if we do want to enable key rotation

112
00:04:44,760 --> 00:04:46,005
‫we have to tick this box

113
00:04:46,005 --> 00:04:49,500
‫and this would rotate this KMS key every year.

114
00:04:49,500 --> 00:04:52,170
‫Okay, you cannot configure it to be more or less.

115
00:04:52,170 --> 00:04:53,730
‫It has to happen every year.

116
00:04:53,730 --> 00:04:56,190
‫And it's only possible because I did create this

117
00:04:56,190 --> 00:04:58,980
‫key from within KMS.

118
00:04:58,980 --> 00:05:01,950
‫And finally see, finally, what is the alias for my key?

119
00:05:01,950 --> 00:05:02,970
‫It is named tutorial.

120
00:05:02,970 --> 00:05:05,370
‫So I can refer to it with an alias

121
00:05:05,370 --> 00:05:08,070
‫which can be a little bit simpler for us.

122
00:05:08,070 --> 00:05:09,536
‫Finally, for key actions

123
00:05:09,536 --> 00:05:13,530
‫you can disable it or schedule key deletion.

124
00:05:13,530 --> 00:05:14,400
‫So we have our key.

125
00:05:14,400 --> 00:05:17,280
‫It's great, but now let's go use the CLI to

126
00:05:17,280 --> 00:05:19,980
‫encrypt and decrypt some data.

127
00:05:19,980 --> 00:05:24,390
‫So under KMS, I have KMS demo CLI dot SH, which is going to

128
00:05:24,390 --> 00:05:28,590
‫show us how to use the encrypt and crypto of KMS

129
00:05:28,590 --> 00:05:30,060
‫with an example.

130
00:05:30,060 --> 00:05:33,047
‫So first we are gonna to create a file

131
00:05:33,047 --> 00:05:38,047
‫and I'm going to call it example, secret file dot TXT.

132
00:05:38,250 --> 00:05:39,600
‫And with it, I'm going to say there

133
00:05:39,600 --> 00:05:43,980
‫is a super secret password, okay?

134
00:05:43,980 --> 00:05:45,954
‫So this is whatever you want in this text file,

135
00:05:45,954 --> 00:05:48,870
‫for me, I just entered a password called super secret

136
00:05:48,870 --> 00:05:51,270
‫password, and we're going to encrypt it and then decrypt it

137
00:05:51,270 --> 00:05:52,740
‫using KMS.

138
00:05:52,740 --> 00:05:53,573
‫So the first thing that you

139
00:05:53,573 --> 00:05:56,370
‫do for KMS encryption is use the encrypt command.

140
00:05:56,370 --> 00:05:58,980
‫So we have to specify a key ID for me

141
00:05:58,980 --> 00:06:00,570
‫it's alias slash tutorial.

142
00:06:00,570 --> 00:06:04,140
‫So this corresponds to the key I have created in my console.

143
00:06:04,140 --> 00:06:05,490
‫And you could use the alias.

144
00:06:05,490 --> 00:06:07,620
‫You could use this key ID right here

145
00:06:07,620 --> 00:06:09,240
‫or you could use the full ARN.

146
00:06:09,240 --> 00:06:11,850
‫It doesn't really matter, just use whatever you want.

147
00:06:11,850 --> 00:06:13,080
‫And then you need to pass

148
00:06:13,080 --> 00:06:15,780
‫in plain text the address of your file.

149
00:06:15,780 --> 00:06:18,600
‫So for me it's example secret file dot txt,

150
00:06:18,600 --> 00:06:20,520
‫the output of the query.

151
00:06:20,520 --> 00:06:22,230
‫So you're querying for a cipher text blog

152
00:06:22,230 --> 00:06:24,360
‫which represents the encrypted contents.

153
00:06:24,360 --> 00:06:25,869
‫And you want the text as is

154
00:06:25,869 --> 00:06:28,200
‫and finally the region, your key is in.

155
00:06:28,200 --> 00:06:30,810
‫So for me, my nearest region EU west two.

156
00:06:30,810 --> 00:06:33,709
‫This is going to give us a base 64 file

157
00:06:33,709 --> 00:06:35,670
‫containing the encrypted content.

158
00:06:35,670 --> 00:06:39,596
‫So let's copy this command right here and paste it, run it.

159
00:06:39,596 --> 00:06:43,350
‫And now I have a file called example

160
00:06:43,350 --> 00:06:45,177
‫secret file encrypted at base 64.

161
00:06:45,177 --> 00:06:47,670
‫And this represents my encrypted file.

162
00:06:47,670 --> 00:06:48,503
‫Okay?

163
00:06:48,503 --> 00:06:49,530
‫In base 64.

164
00:06:49,530 --> 00:06:53,160
‫So just with letters and numbers that we can recognize now

165
00:06:53,160 --> 00:06:55,950
‫though, we're going to do a base 64 decode to

166
00:06:55,950 --> 00:06:57,870
‫get the binary encrypted value.

167
00:06:57,870 --> 00:07:00,032
‫So if you're on Windows, the command is different.

168
00:07:00,032 --> 00:07:02,220
‫So for Linux, I'm just going to run this one

169
00:07:02,220 --> 00:07:05,010
‫but for Windows, you can run the other one.

170
00:07:05,010 --> 00:07:05,843
‫And so the idea is

171
00:07:05,843 --> 00:07:09,090
‫that you're going to create a file called example

172
00:07:09,090 --> 00:07:11,520
‫secret file encrypted without a base 64.

173
00:07:11,520 --> 00:07:14,343
‫So let me copy this and paste it.

174
00:07:15,180 --> 00:07:18,360
‫And now I have a new file called example

175
00:07:18,360 --> 00:07:19,800
‫secret file encrypted.

176
00:07:19,800 --> 00:07:21,990
‫And if I try to open it with my text editor

177
00:07:21,990 --> 00:07:23,160
‫it's not going to work because it's

178
00:07:23,160 --> 00:07:26,070
‫it uses either binary or unsupported, text encoding.

179
00:07:26,070 --> 00:07:27,840
‫So this is indeed a binary file.

180
00:07:27,840 --> 00:07:28,740
‫So this is the kind

181
00:07:28,740 --> 00:07:31,560
‫of secret file that you would share with someone.

182
00:07:31,560 --> 00:07:34,260
‫And so now I want to go and decrypt it.

183
00:07:34,260 --> 00:07:36,600
‫So this is completely gibberish

184
00:07:36,600 --> 00:07:38,610
‫and we cannot get any information of it.

185
00:07:38,610 --> 00:07:40,980
‫Even this one, we cannot get any information.

186
00:07:40,980 --> 00:07:43,020
‫How do we know it's super secret password?

187
00:07:43,020 --> 00:07:45,180
‫So this is an encrypted file, but now we want

188
00:07:45,180 --> 00:07:49,290
‫to take this encrypted binary file and decrypt it.

189
00:07:49,290 --> 00:07:52,830
‫So for this, we're going to run and KMS decrypt command.

190
00:07:52,830 --> 00:07:55,225
‫So this time we pass in the blog, the

191
00:07:55,225 --> 00:07:57,270
‫the file that was encrypted.

192
00:07:57,270 --> 00:07:59,970
‫So this is where we're passing the file in here.

193
00:07:59,970 --> 00:08:01,800
‫Then we query for the plain text value.

194
00:08:01,800 --> 00:08:03,270
‫So the decrypted value

195
00:08:03,270 --> 00:08:05,340
‫and we write this to another file that is going

196
00:08:05,340 --> 00:08:09,360
‫to be base 64 encrypted, and we specify the region.

197
00:08:09,360 --> 00:08:10,380
‫So let's go ahead.

198
00:08:10,380 --> 00:08:12,900
‫KMS knows automatically which key to use for

199
00:08:12,900 --> 00:08:13,733
‫the description

200
00:08:13,733 --> 00:08:18,450
‫because it is included in the blob of encrypted value.

201
00:08:18,450 --> 00:08:20,070
‫So let me enter this.

202
00:08:20,070 --> 00:08:21,540
‫And so this has succeeded.

203
00:08:21,540 --> 00:08:23,340
‫So now if I go to my example

204
00:08:23,340 --> 00:08:27,030
‫file decrypted base 64, it is here.

205
00:08:27,030 --> 00:08:28,200
‫It's a much shorter thing.

206
00:08:28,200 --> 00:08:29,910
‫And now we're going to basic 64

207
00:08:29,910 --> 00:08:32,790
‫decode this to get my text value.

208
00:08:32,790 --> 00:08:35,220
‫So we'll have a different command again

209
00:08:35,220 --> 00:08:37,650
‫if you're on Windows or if you're on Max, I'm on Mac

210
00:08:37,650 --> 00:08:38,910
‫I'm going to use this one.

211
00:08:38,910 --> 00:08:42,480
‫So I'm copying this command, pasting it.

212
00:08:42,480 --> 00:08:45,660
‫And now we have done a base 64 decoding of our file.

213
00:08:45,660 --> 00:08:49,980
‫So if we go back to example, file decrypted dot TXT

214
00:08:49,980 --> 00:08:52,530
‫we find back our super secret password.

215
00:08:52,530 --> 00:08:56,130
‫So we have shown the encryption and its reverse operation.

216
00:08:56,130 --> 00:08:57,360
‫The decryption.

217
00:08:57,360 --> 00:08:58,950
‫Obviously these are low level commands.

218
00:08:58,950 --> 00:09:01,470
‫The SDK will abstract some of that for us

219
00:09:01,470 --> 00:09:03,000
‫but this shows you the full example

220
00:09:03,000 --> 00:09:05,700
‫of how you can use the encrypt and decrypt command

221
00:09:05,700 --> 00:09:08,880
‫of KMS with your own customer master key.

222
00:09:08,880 --> 00:09:10,230
‫So that's it super simple.

223
00:09:10,230 --> 00:09:11,400
‫I hope that was helpful.

224
00:09:11,400 --> 00:09:13,350
‫And I will see you in the next lecture.