1
00:00:00,050 --> 00:00:00,883
‫So if you google

2
00:00:00,883 --> 00:00:03,400
‫installing the AWS Encryption CLI

3
00:00:03,400 --> 00:00:06,384
‫then we see how we can install it and we have to use Python

4
00:00:06,384 --> 00:00:08,269
‫and we can check the Python version,

5
00:00:08,269 --> 00:00:11,120
‫it gives you the instructions for Windows as well

6
00:00:11,120 --> 00:00:15,780
‫and we'll use pip, so it's just pip, install AWS encryption

7
00:00:15,780 --> 00:00:17,270
‫as the case CLI.

8
00:00:17,270 --> 00:00:19,519
‫So let me go ahead and run this command

9
00:00:19,519 --> 00:00:24,519
‫and this is just for us to see how encryption works,

10
00:00:25,050 --> 00:00:28,330
‫this is definitely not needed for the exam to know how

11
00:00:28,330 --> 00:00:31,047
‫to execute this command, this is just for the people who

12
00:00:31,047 --> 00:00:34,607
‫are curious and want to see data key encryption in action.

13
00:00:35,710 --> 00:00:40,230
‫Now we have the AWS Encryption CLI installed,

14
00:00:40,230 --> 00:00:44,453
‫so if I do minus, minus version I get the encryption CLI

15
00:00:44,453 --> 00:00:49,453
‫to be 1.37, 1.3.7 and 1.1.5 for the CLI itself.

16
00:00:50,900 --> 00:00:53,507
‫Okay so we're ready to use the encryption,

17
00:00:53,507 --> 00:00:57,340
‫now if we do examples we can go straight to understanding

18
00:00:57,340 --> 00:00:59,630
‫how to encrypt a file and so we'll have

19
00:00:59,630 --> 00:01:03,417
‫to export a C-M-K-A-R-N so we have to figure out the key

20
00:01:03,417 --> 00:01:06,088
‫and then we'll have to run the encrypt command

21
00:01:06,088 --> 00:01:09,600
‫and then we'll have to run decrypt command afterwards.

22
00:01:09,600 --> 00:01:12,670
‫So as far as the key we'll use, we'll use the tutorial key

23
00:01:12,670 --> 00:01:15,670
‫from before, except this time we need the full ARN

24
00:01:15,670 --> 00:01:18,090
‫of our key, we cannot just use the alias.

25
00:01:18,090 --> 00:01:22,020
‫I'll just say key equals and I'll just paste this,

26
00:01:22,020 --> 00:01:23,565
‫now my key has been exported

27
00:01:23,565 --> 00:01:26,840
‫and now I'm able to run this command.

28
00:01:26,840 --> 00:01:30,280
‫We first have to generate a hello text dot file

29
00:01:30,280 --> 00:01:35,280
‫so I'll just say, VI hello dot text and I'll say something

30
00:01:35,890 --> 00:01:40,890
‫super secret that's over one megabyte.

31
00:01:41,250 --> 00:01:46,100
‫Basically imagine this file is over one megabyte and yeah,

32
00:01:46,100 --> 00:01:48,330
‫that'll be enough okay but this is just a text file

33
00:01:48,330 --> 00:01:49,910
‫and it could be as big as you want.

34
00:01:49,910 --> 00:01:54,020
‫Here it contains some very super secret data, okay?

35
00:01:54,020 --> 00:01:56,160
‫And what we want to do is encrypt this,

36
00:01:56,160 --> 00:01:59,030
‫so for this we'll run this entire command right here

37
00:01:59,030 --> 00:02:01,778
‫and you have the power shell equivalent if you need it

38
00:02:01,778 --> 00:02:03,520
‫right here

39
00:02:03,520 --> 00:02:05,210
‫and so I'll copy it

40
00:02:07,300 --> 00:02:08,580
‫and paste it

41
00:02:08,580 --> 00:02:09,670
‫and so here the only thing

42
00:02:09,670 --> 00:02:12,040
‫I have to change because I didn't name exactly just like

43
00:02:12,040 --> 00:02:16,480
‫them, I'll name this key so key equals dollar key

44
00:02:16,480 --> 00:02:17,700
‫and that should be it.

45
00:02:17,700 --> 00:02:21,680
‫So we're encrypting the data and the input to the encryption

46
00:02:21,680 --> 00:02:24,930
‫is going to be hello dot text and the master key we're going

47
00:02:24,930 --> 00:02:29,650
‫to use is going to be this ARN coming straight out of Amazon

48
00:02:29,650 --> 00:02:32,940
‫and we're going to update up with the metadata, if you want

49
00:02:32,940 --> 00:02:37,510
‫to explore the metadata, I'll probably just use the

50
00:02:37,510 --> 00:02:40,420
‫metadata folder right here.

51
00:02:40,420 --> 00:02:43,736
‫Encryption context is optional and to be honest

52
00:02:43,736 --> 00:02:48,610
‫I will remove it right now cause we don't need to use it

53
00:02:48,610 --> 00:02:52,070
‫for now and now we'll use the output and the output is the

54
00:02:52,070 --> 00:02:54,240
‫encrypted file where we'll go.

55
00:02:54,240 --> 00:02:59,190
‫Press Enter and it say metadata output's file cannot be in

56
00:02:59,190 --> 00:03:02,440
‫the output's directory so how about I make a directory

57
00:03:02,440 --> 00:03:07,440
‫called output and I'll use the output directory to do this.

58
00:03:09,460 --> 00:03:10,840
‫Okay so we're done.

59
00:03:10,840 --> 00:03:13,159
‫So now the file has been encrypted so if we look at

60
00:03:13,159 --> 00:03:15,340
‫the results we have hello text,

61
00:03:15,340 --> 00:03:18,070
‫that's our file that before encryption.

62
00:03:18,070 --> 00:03:20,319
‫We have metadata, which is the metadata that happened

63
00:03:20,319 --> 00:03:25,319
‫and we have output which is the output encrypted file.

64
00:03:25,850 --> 00:03:27,753
‫So let's look at the metadata first.

65
00:03:28,780 --> 00:03:31,990
‫The metadata contains adjacent documents and so I'll just

66
00:03:31,990 --> 00:03:35,260
‫have it into JQ to print it a little bit clearer.

67
00:03:35,260 --> 00:03:39,540
‫This Jason document has a header and so it tells us the

68
00:03:39,540 --> 00:03:41,840
‫algorithm that was used to encrypt the data.

69
00:03:41,840 --> 00:03:45,750
‫It tells us what data key was used, the key provider,

70
00:03:45,750 --> 00:03:47,950
‫the encryption context of all these things that described

71
00:03:47,950 --> 00:03:50,030
‫before are gonna be in this metadata.

72
00:03:50,030 --> 00:03:53,240
‫This is just something you can use if you wanted to have a

73
00:03:53,240 --> 00:03:55,700
‫summary of what happened but this metadata file is

74
00:03:55,700 --> 00:03:58,958
‫definitely not needed, so what I can do is remove this

75
00:03:58,958 --> 00:04:02,470
‫metadata file and so the important thing is that

76
00:04:02,470 --> 00:04:06,310
‫if we go to the output directory we get a hello dot text

77
00:04:06,310 --> 00:04:07,620
‫dot encrypted file

78
00:04:07,620 --> 00:04:10,530
‫and so if I do cat output, there's an encrypted

79
00:04:10,530 --> 00:04:12,660
‫we see a lot of gibberish,

80
00:04:12,660 --> 00:04:15,310
‫it's because our file was being encrypted.

81
00:04:15,310 --> 00:04:17,470
‫The important thing though is we can see is that our file

82
00:04:17,470 --> 00:04:22,160
‫was being encrypted using this KMS key and the generated

83
00:04:22,160 --> 00:04:24,850
‫data key, so it allows the Encryption SDK

84
00:04:24,850 --> 00:04:27,280
‫to decrypt that file in the future.

85
00:04:27,280 --> 00:04:29,761
‫Let's play with the decryption now

86
00:04:29,761 --> 00:04:33,440
‫and for the decryption we'll just need to run this one

87
00:04:33,440 --> 00:04:36,470
‫command right here, so let me just run it and adapt it

88
00:04:36,470 --> 00:04:38,320
‫because I did a few changes.

89
00:04:38,320 --> 00:04:41,830
‫So now we want to run decrypt function and the input is

90
00:04:41,830 --> 00:04:44,500
‫going to be in the output directory of me which is

91
00:04:44,500 --> 00:04:46,320
‫hello dot text dot encrypted.

92
00:04:46,320 --> 00:04:49,550
‫The encryption context was not used so I'll just remove

93
00:04:49,550 --> 00:04:51,820
‫this for simplicity sake.

94
00:04:51,820 --> 00:04:54,840
‫The metadata output is again if we wanted to output

95
00:04:54,840 --> 00:04:57,870
‫the metadata so I'll just have it right here

96
00:04:57,870 --> 00:05:02,320
‫and the output is going to be decrypted folder.

97
00:05:02,320 --> 00:05:03,153
‫Okay?

98
00:05:03,153 --> 00:05:06,068
‫So here we're decrypting the encrypted data

99
00:05:06,068 --> 00:05:07,763
‫and let's press Enter.

100
00:05:10,550 --> 00:05:13,610
‫We need to create the decrypted directory,

101
00:05:13,610 --> 00:05:16,188
‫let's run this again, and now it worked

102
00:05:16,188 --> 00:05:18,420
‫so now if we do LL,

103
00:05:18,420 --> 00:05:21,546
‫we see it created a decrypted directory.

104
00:05:21,546 --> 00:05:25,110
‫If we look into that decrypted directory we have the

105
00:05:25,110 --> 00:05:27,400
‫hello dot text dot encrypted dot decrypted so it's been

106
00:05:27,400 --> 00:05:28,630
‫decrypted in the end.

107
00:05:28,630 --> 00:05:30,650
‫Let's cat the content to make sure it was

108
00:05:30,650 --> 00:05:33,300
‫decrypted correctly and we get back our super secret

109
00:05:33,300 --> 00:05:36,330
‫that was over one megabyte.

110
00:05:36,330 --> 00:05:38,372
‫So this is really interesting because using this

111
00:05:38,372 --> 00:05:39,205
‫encryption CLI, two commands,

112
00:05:39,205 --> 00:05:42,160
‫okay I just had to get them right.

113
00:05:42,160 --> 00:05:43,800
‫Using the encrypt command and the decrypt

114
00:05:43,800 --> 00:05:47,130
‫command we're able to encrypt a large file and decrypt a

115
00:05:47,130 --> 00:05:50,306
‫large file and this involves KMS directly.

116
00:05:50,306 --> 00:05:52,630
‫That's it for this end zone I hope you liked it

117
00:05:52,630 --> 00:05:54,580
‫and I will see you in the next lecture.