Encrypt/Decrypt

As an example we will be performing the operations of encryption and decryption, which are elaborated in the AWS documentation. To execute these operations, it is necessary to establish a connection with our EC2 instance, as described in the preceding step, and deploy the Securosys XKS Proxy. For this purpose, the following commands are recommended:

service xksproxy start|stop|restart

In the below example command we use a specified key, generated on the HSM, to encrypt a string of base64 encoded plaintext.

aws kms encrypt --key-id arn:aws:kms:eu-central-1:123456789:key/b111ab11-d1ee-11c1-bd11-111e11f111a1
--plaintext SGVsbG8h --output text --query CiphertextBlob | base64 --decode \> /home/ec2-user/EncryptedFile

The below command uses the previously specified key to decrypt the plaintext.

aws kms decrypt --ciphertext-blob fileb:///home/ec2-user/EncryptedFile --key-id
arn:aws:kms:eu-central-1:123456789:key/b111ab11-d1ee-11c1-bd11-111e11f111a1 --output text
--query Plaintext | base64 --decode \> /home/ec2-user/PlaintextFile

Note:

Both the plaintext input provided for encryption and the resulting plaintext after decryption need to be base64 encoded. Furthermore, if you encounter any errors or issues within the console, it is advisable to examine the application logs found in the "xks_proxy.log" file. More about Securosys XKS Proxy logging can be found in the Troubleshooting chapter.