Encrypting and decrypting data with a Key Manager data encryption key
This page shows you how to encrypt and decrypt data using your Key Manager data encryption key and Tink.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- Created a key encryption key either from the Scaleway console or the Key Manager API
- Retrieved your key encryption key's ID
- A valid API key
- Downloaded and configured the Scaleway CLI
- Dowloaded and installed Go
- Created a Key Manager data encryption key
- Created and retrieved the ID your Key Manager key
Configuring your environment variables
Open a terminal and paste the following command to export your environment variables. Make sure that you replace the placeholder values with your own.
export SCW_ACCESS_KEY="<access-key>"
export SCW_SECRET_KEY="<secret-key>"
export SCW_DEFAULT_ORGANIZATION_ID="<organization-id>"
export SCW_PROJECT_ID="<project-id>"
export SCW_DEFAULT_REGION="<region>"
export SCW_API_URL="<api-url>"
export SCW_KM_KEY_ID="<key-id>"
Using the Go Tink provider
-
Create a
test.go
file in your Go project. -
Copy and paste the following code in your
test.go
file.package main import ( "fmt" "github.com/scaleway/tink-go-scwkms/integration/scwkms" "github.com/tink-crypto/tink-go/v2/aead" "log" "os" ) func main() { const keyURIPrefix = "scw-kms://regions/<region>/keys/" keyURI := keyURIPrefix + os.Getenv("SCW_KMS_KEY_ID") client, err := scwkms.NewClient(keyURIPrefix) if err != nil { log.Fatal(err) } kekAEAD, err := client.GetAEAD(keyURI) if err != nil { log.Fatal(err) } // Get the Key Manager envelope AEAD primitive. dekTemplate := aead.AES256GCMKeyTemplate() primitive := aead.NewKMSEnvelopeAEAD2(dekTemplate, kekAEAD) if err != nil { log.Fatal(err) } // Use the primitive. plaintext := []byte("message") associatedData := []byte("example KMS envelope AEAD encryption") ciphertext, err := primitive.Encrypt(plaintext, associatedData) if err != nil { log.Fatal(err) } fmt.Printf("Plaintext: %s\n", plaintext) fmt.Printf("Ciphertext (base64): %s\n", ciphertext) decryptedCiphertext, err := primitive.Decrypt(ciphertext, associatedData) if err != nil { log.Fatal(err) } fmt.Printf("Decrypted ciphertext: %s\n", decryptedCiphertext) }
-
Replace
<region>
with the region where your key is located and save your changes. -
Run your code:
go run test.go
Manually encrypt and decrypt data with a Key Manager DEK
OpenSSL overview
OpenSSL is a software library for secure communication over computer networks. It is widely used for cryptographic functions.
To decrypt or encrypt your data using OpenSSL, you need to send your encrypted DEK to Key Manager using the Decrypt data operation.
Scaleway Key Manager then uses your key encryption key (KEK) to decrypt the encrypted DEK, returning it to its plaintext (unencrypted) form, which you can then use to decrypt your actual data.
Encrypting data with OpenSSL
To encrypt your data using OpenSSl, you need to:
-
Decrypt your encrypted DEK using your Key Manager key (key encryption key).
-
Create a
plaintext.txt
file in which you will paste your plaintext data. -
Encrypt the content of
plaintext.txt
using OpenSSL and theAES-256-CBC
cipher encryption algorithm. -
Open a terminal and paste the following command to perform the actions described above. Make sure that you replace
<kek_id>
and<my_encrypted_data_key>
with the relevant values.# Decrypt the encrypted DEK using scw key decrypt decrypted_data_key=$(scw keymanager key decrypt key-id=<kek_id> ciphertext=<my_encrypted_data_key> | awk '$1 == "Plaintext" {print $2}' | base64 -d) # Put your data plaintext into a .txt file echo -n "Your plaintext here" > plaintext.txt # Encrypt your file using OpenSSL and AES-256-CBC openssl enc -aes-256-cbc -in plaintext.txt -out encrypted.bin -K $(echo -n "$decrypted_data_key" | hexdump -ve '/1 "%02x"') -iv 0 -nosalt -p # Remove the plaintext data rm plaintext.txt
Decrypting data with OpenSSL
To decrypt your encrypted data using OpenSSL, you need to:
-
Decrypt your encrypted DEK using your Key Manager key (key encryption key).
-
Decrypt the content of
encrypted.bin
which contains your encrypted data, using OpenSSL and theAES-256-CBC
cipher encryption algorithm. -
Open a terminal and paste the following command to perform the actions described above. Make sure that you replace
<kek_id>
and<my_encrypted_data_key>
with the relevant values.# Decrypt the encrypted DEK using scw key decrypt decrypted_data_key=$(scw keymanager key decrypt key-id=<kek_id> ciphertext=<my_encrypted_data_key> | awk '$1 == "Plaintext" {print $2}' | base64 -d) # Decrypt your data using OpenSSL and AES-256-CBC openssl enc -aes-256-cbc -d -in encrypted.bin -out decrypted.bin -K $(echo -n "$decrypted_data_key" | hexdump -ve '/1 "%02x"') -iv 0 -nosalt -p
Encrypting a DEK manually
-
Create one data encryption key for each plaintext you want to encrypt.
-
Use your newly created DEK to encrypt the desired plaintext securely.
-
After encrypting the plaintext using your DEK, concatenate the encrypted DEK with the resulting ciphertext. This ensures that the encrypted DEK is securely associated with the corresponding ciphertext for decryption.
Decrypting a DEK manually
-
Extract the encrypted DEK from the ciphertext.
-
Decrypt the encrypted DEK using your Key manager key (key encryption key).
-
Use the resulting DEK's plaintext to decrypt the ciphertext.
-
Delete the plaintext DEK from permanent storage after using it to enhance security.