Skip to navigationSkip to main contentSkip to footerScaleway Docs

Encrypting and decrypting data with a Key Manager data encryption key

This page shows you how to encrypt and decrypt data using your Key Manager data encryption key and Tink.

Before you start

To complete the actions presented below, you must have:

Configuring your environment variables

Open a terminal and paste the following command to export your environment variables. Make sure that you replace the placeholder values with your own.

export SCW_ACCESS_KEY="<access-key>"
    export SCW_SECRET_KEY="<secret-key>"
    export SCW_DEFAULT_ORGANIZATION_ID="<organization-id>"
    export SCW_PROJECT_ID="<project-id>"
    export SCW_DEFAULT_REGION="<region>"
    export SCW_API_URL="<api-url>"
    export SCW_KM_KEY_ID="<key-id>"

Using the Go Tink provider

  1. Set up Tink.

    Note

    The Tink library for Go is a cryptographic library that simplifies encryption, decryption, and key management operations.

  2. Create a test.go file in your Go project.

  3. Copy and paste the following code in your test.go file.

    package main
    
    import (
        "fmt"
        "github.com/scaleway/tink-go-scwkms/integration/scwkms"
        "github.com/tink-crypto/tink-go/v2/aead"
        "log"
        "os"
    )
    
    func main() {
        const keyURIPrefix = "scw-kms://regions/<region>/keys/"
        keyURI := keyURIPrefix + os.Getenv("SCW_KMS_KEY_ID")
    
        client, err := scwkms.NewClient(keyURIPrefix)
        if err != nil {
            log.Fatal(err)
        }
    
        kekAEAD, err := client.GetAEAD(keyURI)
        if err != nil {
            log.Fatal(err)
        }
    
        // Get the Key Manager envelope AEAD primitive.
        dekTemplate := aead.AES256GCMKeyTemplate()
        primitive := aead.NewKMSEnvelopeAEAD2(dekTemplate, kekAEAD)
        if err != nil {
            log.Fatal(err)
        }
    
        // Use the primitive.
        plaintext := []byte("message")
        associatedData := []byte("example KMS envelope AEAD encryption")
    
        ciphertext, err := primitive.Encrypt(plaintext, associatedData)
        if err != nil {
            log.Fatal(err)
        }
    
        fmt.Printf("Plaintext: %s\n", plaintext)
        fmt.Printf("Ciphertext (base64): %s\n", ciphertext)
    
        decryptedCiphertext, err := primitive.Decrypt(ciphertext, associatedData)
        if err != nil {
            log.Fatal(err)
        }
    
        fmt.Printf("Decrypted ciphertext: %s\n", decryptedCiphertext)
    }
  4. Replace <region> with the region where your key is located and save your changes.

  5. Run your code:

    go run test.go

Manually encrypt and decrypt data with a Key Manager DEK

OpenSSL overview

OpenSSL is a software library for secure communication over computer networks. It is widely used for cryptographic functions.

To decrypt or encrypt your data using OpenSSL, you need to send your encrypted DEK to Key Manager using the Decrypt data operation.

Scaleway Key Manager then uses your key encryption key (KEK) to decrypt the encrypted DEK, returning it to its plaintext (unencrypted) form, which you can then use to decrypt your actual data.

Important
  • We do not recommend using OpenSSL in a production environment.
  • You should never save the plaintext DEK on disk or any permanent storage, as it poses a security risk.

Encrypting data with OpenSSL

To encrypt your data using OpenSSl, you need to:

  1. Decrypt your encrypted DEK using your Key Manager key (key encryption key).

  2. Create a plaintext.txt file in which you will paste your plaintext data.

  3. Encrypt the content of plaintext.txt using OpenSSL and the AES-256-CBC cipher encryption algorithm.

  4. Open a terminal and paste the following command to perform the actions described above. Make sure that you replace <kek_id> and <my_encrypted_data_key> with the relevant values.

    # Decrypt the encrypted DEK using scw key decrypt
    decrypted_data_key=$(scw keymanager key decrypt key-id=<kek_id> ciphertext=<my_encrypted_data_key> | awk '$1 == "Plaintext" {print $2}' | base64 -d)
    
    # Put your data plaintext into a .txt file
    echo -n "Your plaintext here" > plaintext.txt
    
    # Encrypt your file using OpenSSL and AES-256-CBC
    openssl enc -aes-256-cbc -in plaintext.txt -out encrypted.bin -K $(echo -n "$decrypted_data_key" | hexdump -ve '/1 "%02x"') -iv 0 -nosalt -p
    
    # Remove the plaintext data
    rm plaintext.txt

Decrypting data with OpenSSL

To decrypt your encrypted data using OpenSSL, you need to:

  1. Decrypt your encrypted DEK using your Key Manager key (key encryption key).

  2. Decrypt the content of encrypted.bin which contains your encrypted data, using OpenSSL and the AES-256-CBC cipher encryption algorithm.

  3. Open a terminal and paste the following command to perform the actions described above. Make sure that you replace <kek_id> and <my_encrypted_data_key> with the relevant values.

    # Decrypt the encrypted DEK using scw key decrypt
        decrypted_data_key=$(scw keymanager key decrypt key-id=<kek_id> ciphertext=<my_encrypted_data_key> | awk '$1 == "Plaintext" {print $2}' | base64 -d)
    
        # Decrypt your data using OpenSSL and AES-256-CBC
        openssl enc -aes-256-cbc -d -in encrypted.bin -out decrypted.bin -K $(echo -n "$decrypted_data_key" | hexdump -ve '/1 "%02x"') -iv 0 -nosalt -p
Tip

If you do not wish to use OpenSSL to encrypt and decrypt your data encryption key, you can do it manually using the procedure below, which follows best practices.

Encrypting a DEK manually

  1. Create one data encryption key for each plaintext you want to encrypt.

    Tip

    This ensures that each encryption operation uses a unique encryption key, enhancing security.

  2. Use your newly created DEK to encrypt the desired plaintext securely.

    Note

    We recommend using standard and well-established ciphers, such as AES (Advanced Encryption Standard), to perform the encryption operation.

  3. After encrypting the plaintext using your DEK, concatenate the encrypted DEK with the resulting ciphertext. This ensures that the encrypted DEK is securely associated with the corresponding ciphertext for decryption.

Decrypting a DEK manually

  1. Extract the encrypted DEK from the ciphertext.

    Note

    Extracting an encrypted DEK from the ciphertext means that we are separating the encrypted DEK from the ciphertext.

  2. Decrypt the encrypted DEK using your Key manager key (key encryption key).

  3. Use the resulting DEK's plaintext to decrypt the ciphertext.

    Note

    Use the same cryptographic algorithm and decryption mechanism as the ones you used during the encryption process.

  4. Delete the plaintext DEK from permanent storage after using it to enhance security.

Still need help?

Create a support ticket
No Results