Encrypting and decrypting data with a Key Manager data encryption key

Reviewed on February 06, 2025

This page shows you how to encrypt and decrypt data using your Key Manager data encryption key and Tink.

Before you start

To complete the actions presented below, you must have:

A Scaleway account logged into the console
Owner status or IAM permissions allowing you to perform actions in the intended Organization
Created a key encryption key either from the Scaleway console or the Key Manager API
Retrieved your key encryption key's ID
A valid API key
Downloaded and configured the Scaleway CLI
Dowloaded and installed Go
Created a Key Manager data encryption key
Created and retrieved the ID your Key Manager key

Configuring your environment variables

Open a terminal and paste the following command to export your environment variables. Make sure that you replace the placeholder values with your own.

export SCW_ACCESS_KEY="<access-key>"
    export SCW_SECRET_KEY="<secret-key>"
    export SCW_DEFAULT_ORGANIZATION_ID="<organization-id>"
    export SCW_PROJECT_ID="<project-id>"
    export SCW_DEFAULT_REGION="<region>"
    export SCW_API_URL="<api-url>"
    export SCW_KM_KEY_ID="<key-id>"

Using the Go Tink provider

Set up Tink.

Note
The Tink library for Go is a cryptographic library that simplifies encryption, decryption, and key management operations.
Create a test.go file in your Go project.

Copy and paste the following code in your test.go file.

package main

import (
    "fmt"
    "github.com/scaleway/tink-go-scwkms/integration/scwkms"
    "github.com/tink-crypto/tink-go/v2/aead"
    "log"
    "os"
)

func main() {
    const keyURIPrefix = "scw-kms://regions/<region>/keys/"
    keyURI := keyURIPrefix + os.Getenv("SCW_KMS_KEY_ID")

    client, err := scwkms.NewClient(keyURIPrefix)
    if err != nil {
        log.Fatal(err)
    }

    kekAEAD, err := client.GetAEAD(keyURI)
    if err != nil {
        log.Fatal(err)
    }

    // Get the Key Manager envelope AEAD primitive.
    dekTemplate := aead.AES256GCMKeyTemplate()
    primitive := aead.NewKMSEnvelopeAEAD2(dekTemplate, kekAEAD)
    if err != nil {
        log.Fatal(err)
    }

    // Use the primitive.
    plaintext := []byte("message")
    associatedData := []byte("example KMS envelope AEAD encryption")

    ciphertext, err := primitive.Encrypt(plaintext, associatedData)
    if err != nil {
        log.Fatal(err)
    }

    fmt.Printf("Plaintext: %s\n", plaintext)
    fmt.Printf("Ciphertext (base64): %s\n", ciphertext)

    decryptedCiphertext, err := primitive.Decrypt(ciphertext, associatedData)
    if err != nil {
        log.Fatal(err)
    }

    fmt.Printf("Decrypted ciphertext: %s\n", decryptedCiphertext)
}

Replace <region> with the region where your key is located and save your changes.
Run your code:
```
go run test.go
```

Manually encrypt and decrypt data with a Key Manager DEK

OpenSSL overview

OpenSSL is a software library for secure communication over computer networks. It is widely used for cryptographic functions.

To decrypt or encrypt your data using OpenSSL, you need to send your encrypted DEK to Key Manager using the Decrypt data operation.

Scaleway Key Manager then uses your key encryption key (KEK) to decrypt the encrypted DEK, returning it to its plaintext (unencrypted) form, which you can then use to decrypt your actual data.

Important

We do not recommend using OpenSSL in a production environment.
You should never save the plaintext DEK on disk or any permanent storage, as it poses a security risk.

Encrypting data with OpenSSL

To encrypt your data using OpenSSl, you need to:

Decrypt your encrypted DEK using your Key Manager key (key encryption key).
Create a plaintext.txt file in which you will paste your plaintext data.
Encrypt the content of plaintext.txt using OpenSSL and the AES-256-CBC cipher encryption algorithm.

Open a terminal and paste the following command to perform the actions described above. Make sure that you replace <kek_id> and <my_encrypted_data_key> with the relevant values.

# Decrypt the encrypted DEK using scw key decrypt
decrypted_data_key=$(scw keymanager key decrypt key-id=<kek_id> ciphertext=<my_encrypted_data_key> | awk '$1 == "Plaintext" {print $2}' | base64 -d)

# Put your data plaintext into a .txt file
echo -n "Your plaintext here" > plaintext.txt

# Encrypt your file using OpenSSL and AES-256-CBC
openssl enc -aes-256-cbc -in plaintext.txt -out encrypted.bin -K $(echo -n "$decrypted_data_key" | hexdump -ve '/1 "%02x"') -iv 0 -nosalt -p

# Remove the plaintext data
rm plaintext.txt

Decrypting data with OpenSSL

To decrypt your encrypted data using OpenSSL, you need to:

Decrypt your encrypted DEK using your Key Manager key (key encryption key).
Decrypt the content of encrypted.bin which contains your encrypted data, using OpenSSL and the AES-256-CBC cipher encryption algorithm.

Open a terminal and paste the following command to perform the actions described above. Make sure that you replace <kek_id> and <my_encrypted_data_key> with the relevant values.

# Decrypt the encrypted DEK using scw key decrypt
    decrypted_data_key=$(scw keymanager key decrypt key-id=<kek_id> ciphertext=<my_encrypted_data_key> | awk '$1 == "Plaintext" {print $2}' | base64 -d)

    # Decrypt your data using OpenSSL and AES-256-CBC
    openssl enc -aes-256-cbc -d -in encrypted.bin -out decrypted.bin -K $(echo -n "$decrypted_data_key" | hexdump -ve '/1 "%02x"') -iv 0 -nosalt -p

Tip

If you do not wish to use OpenSSL to encrypt and decrypt your data encryption key, you can do it manually using the procedure below, which follows best practices.

Encrypting a DEK manually

Create one data encryption key for each plaintext you want to encrypt.

Tip
This ensures that each encryption operation uses a unique encryption key, enhancing security.
Use your newly created DEK to encrypt the desired plaintext securely.

Note
We recommend using standard and well-established ciphers, such as AES (Advanced Encryption Standard), to perform the encryption operation.
After encrypting the plaintext using your DEK, concatenate the encrypted DEK with the resulting ciphertext. This ensures that the encrypted DEK is securely associated with the corresponding ciphertext for decryption.

Decrypting a DEK manually

Extract the encrypted DEK from the ciphertext.

Note
Extracting an encrypted DEK from the ciphertext means that we are separating the encrypted DEK from the ciphertext.
Decrypt the encrypted DEK using your Key manager key (key encryption key).
Use the resulting DEK's plaintext to decrypt the ciphertext.

Note
Use the same cryptographic algorithm and decryption mechanism as the ones you used during the encryption process.
Delete the plaintext DEK from permanent storage after using it to enhance security.

Still need help?

Create a support ticket