How to Encrypt and Decrypt data using AWS KMS & CloudHSM

This article will guide you on how to use AWS Services KMS & CloudHSM. You can use AWS KMS & CloudHSM to encrypt and decrypt data.


AWS Key Management Service is an Amazon Web service that allows you to encrypt your stored data efficiently. It provides key storage, maintenance, and management to encrypt data in your website/applications and control your stored data in encryption form.

It allows you to manage and securely store your keys globally, known as customer master keys.


Key Management with KMS

We can perform the following essential management functions in AWS through KMS:

  • We can create multiple keys with a unique alias/name and description.
  • You can Import your crucial material.
  • We can define which IAM users and roles can handle keys using policies.
  • You can describe which IAM users and roles can use keys to encrypted and decrypted data using policies.
  • It automatically rotates your keys on an annual basis.
  • With the help of it, we can temporarily disable keys so unauthorized personnel cannot use these keys.
  • Re-enable and disabled keys.
  • Delete keys that you have not used for a long time.
  • Go through the use of keys by inspecting logs in AWS Cloud Trail.
  • Create custom key stores*.
  • Connect and disconnect custom key stores*.
  • Delete custom key stores*.

Types of Customer Master Keys (CMK’s)

  1. Customer Managed CMKs
  2. AWS Managed CMKs
  3. Custom Key Stores

Types of AWS KMS

1:Customer Managed CMK

These are in your AWS console account that you create your management.

You have complete control over the CMKs, including establishing and maintaining their key policies, IAM policies, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases/names that refer to the CMK, and setting the CMKs for deletion.

Customer-managed CMKs have a monthly fee and a fee for use above the given AWS free tier.

2:AWS Managed CMKs

You can use this type through your AWS console account by an AWS service integrated with AWS KMS.

You can’t handle these CMKs, rotate, change their keys, policies, or cryptographic operations directly; the service that creates them uses them on your behalf.

You don’t pay a monthly bill for AWS-managed CMKs. However, you may have to pay some fee over the given AWS free tier, but some AWS services cover these costs only for you.

AWS Managed CMKs

Symmetric CMKs

It uses a single key for both encryption and decryption. The shared key must be sent together with the encrypted data in order for other parties to read it. Because of the simplicity of the process, it is usually faster than asymmetric encryption and is efficient in encrypting large amounts of data.

Asymmetric CMKs

It uses a mathematically related public and private key for encryption and decryption. The public key is used for encrypting data and can never be used for decryption. The private key is only used for decrypting data. The private key stays on the user while both the public key and the encrypted data are sent to other parties. This kind of method makes the sharing of public keys a lot easier because even if someone has managed to steal the data with the public key, he won’t be able to decrypt the information.

AWS KMS also supports both keys. 1st is the symmetric data key, and 2nd is the asymmetric data key pairs designed for use with the client-side signing of AWS KMS. The symmetric data KMS also supports both given keys, designed for use with the client-side signing of AWS KMS.

  • Symmetric Data Key is a symmetric encryption key that you can use to encrypt data outside of AWS KMS.
  • Asymmetric Data Key Pair is an RSA or elliptic curve (ECC) key pair consisting of both keys, 1st is the public key, and 2nd is the private key. Asymmetric CMK saves the private key in AWS KMS. You can use your data and key pair outside of AWS KMS to encrypt and decrypt data, sign messages and verify signatures.

3.Custom Key Stores

A key store is a secure location for storing cryptographic keys. The default key store in AWS KMS also supports methods for generating and managing the keys that its stores. By default, the customer master keys (CMKs) that you create in AWS KMS are generated in and protected by hardware security modules (HSMs) that are FIPS 140-2 validated cryptographic modules. The CMKs never leave the modules unencrypted.

Cloud Hardware Security Module (HSM)

It is a cloud-based hardware security module (HSM). That enables you to quickly generate and use your encryption keys on the AWS Cloud. Cloud HSM can manage your encryption keys using FIPS 140-2 (Level 3) validated HSMs.

Therefore, it is a fully managed service for those automatically time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups. It also allows you to scale quickly by adding & removing HSM capacity according to the user’s requirements, without any payment.  It runs on your VPC.


The following table helps to understand the critical differences between AWS CloudHSM and AWS KMS:

Difference Between KMS & HSM


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.