How can I verify that authenticated encryption with associated data encryption is used when calling AWS KMS APIs?

Last updated: 2019-09-06

How can I verify that authenticated encryption with associated data encryption is used when calling AWS Key Management Service (AWS KMS) Encrypt, Decrypt, and ReEncrypt APIs?

Short Description

AWS KMS provides an Encryption Context that you can use to verify the authenticity of AWS KMS API calls, and the integrity of the ciphertext returned by the AWS Decrypt API.

Resolution

To verify the integrity of data encrypted with the AWS KMS APIs, you pass a set of name value pairs as an encryption context during AWS KMS encryption, and again when you call the Decrypt or ReEncrypt APIs. If the encryption context that you pass to the Decrypt API is identical to the encryption context that you pass to the Encrypt or ReEncrypt APIs, the integrity of the ciphertext returned is protected.

To learn more about using encryption context to protect the integrity of encrypted data, see the AWS Security Blog How to Protect the Integrity of Your Encrypted Data by Using AWS Key Management Service and EncryptionContext.


Did this article help you?

Anything we could improve?


Need more help?