为什么 AWS KMS encrypt/decrypt 不需要数据密钥?
Why doesn't AWS KMS encrypt/decrypt need data key?
我正在阅读来自 https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html and https://docs.aws.amazon.com/cli/latest/reference/kms/decrypt.html. I found that I am able to encrypt/decrypt without creating a data key. When I read https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html 的 AWS 加密 cli 文档,它说我需要使用 KMS CMK 生成用于加密我的数据的数据密钥。
所以我对是否需要数据密钥感到困惑?
CMK 被设计为encrypt/decrypt 数据密钥。因此,在直接调用加密函数时可以加密的明文数量限制为 4 KB。您可以通过传递大于 4 KB 的消息来轻松测试它。
These operations are designed to encrypt and decrypt data keys. They use an AWS KMS customer master key (CMK) in the encryption operations and they cannot accept more than 4 KB (4096 bytes) of data. Although you might use them to encrypt small amounts of data, such as a password or RSA key, they are not designed to encrypt application data.
您可能正在使用由另一个使用 KMS 加密的 AWS 服务创建的默认 CMK。
当然所有的加解密操作都需要密钥。如果您没有为您的应用程序明确创建一个,那么您正在使用当前的默认密钥。
Ensure that KMS Customer Master Keys (CMKs) are used by your AWS services and resources instead of default KMS keys, in order to have full control over data encryption/decryption process and meet compliance requirements. A KMS default master key is used by an AWS service such as RDS, EBS, Lambda, Elastic Transcoder, Redshift, SES, SQS, CloudWatch, EFS, S3 or Workspaces when no other key is defined to encrypt a resource for that service. The default key cannot be modified to ensure its availability, durability and security. On the other side, a KMS Customer Master Key (CMK) provides the ability to create, rotate, disable, enable and audit the encryption key used to protect the data.
见https://www.cloudconformity.com/knowledge-base/aws/KMS/default-key-usage.html
我正在阅读来自 https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html and https://docs.aws.amazon.com/cli/latest/reference/kms/decrypt.html. I found that I am able to encrypt/decrypt without creating a data key. When I read https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html 的 AWS 加密 cli 文档,它说我需要使用 KMS CMK 生成用于加密我的数据的数据密钥。 所以我对是否需要数据密钥感到困惑?
CMK 被设计为encrypt/decrypt 数据密钥。因此,在直接调用加密函数时可以加密的明文数量限制为 4 KB。您可以通过传递大于 4 KB 的消息来轻松测试它。
These operations are designed to encrypt and decrypt data keys. They use an AWS KMS customer master key (CMK) in the encryption operations and they cannot accept more than 4 KB (4096 bytes) of data. Although you might use them to encrypt small amounts of data, such as a password or RSA key, they are not designed to encrypt application data.
您可能正在使用由另一个使用 KMS 加密的 AWS 服务创建的默认 CMK。
当然所有的加解密操作都需要密钥。如果您没有为您的应用程序明确创建一个,那么您正在使用当前的默认密钥。
Ensure that KMS Customer Master Keys (CMKs) are used by your AWS services and resources instead of default KMS keys, in order to have full control over data encryption/decryption process and meet compliance requirements. A KMS default master key is used by an AWS service such as RDS, EBS, Lambda, Elastic Transcoder, Redshift, SES, SQS, CloudWatch, EFS, S3 or Workspaces when no other key is defined to encrypt a resource for that service. The default key cannot be modified to ensure its availability, durability and security. On the other side, a KMS Customer Master Key (CMK) provides the ability to create, rotate, disable, enable and audit the encryption key used to protect the data.
见https://www.cloudconformity.com/knowledge-base/aws/KMS/default-key-usage.html