AWS Key Management Service (AWS KMS)

AWS KMS functionality is used to protect data in other AWS services and can be used in your applications too.

See AWS Key Management Service Developer Guide for general guidance using AWS KMS.

API Access

The IKMSClient interface and its implementation TKMSClient provides access to all AWS KMS operations.

The following example encrypts a string and then decrypts the ciphertext back to plaintext:

program EncryptIt;

{$APPTYPE CONSOLE}

uses
  AWS.KMS,
  System.Classes,
  System.SysUtils;

var
  KMS: IKMSClient;
  EncryptRequest: IKMSEncryptRequest;
  EncryptResponse: IKMSEncryptResponse;
  DecryptRequest: IKMSDecryptRequest;
  DecryptResponse: IKMSDecryptResponse;
  DecryptedText: TStringStream;

begin
  KMS := TKMSClient.Create;
  try
    // Encrypt some text using a key alias.
    EncryptRequest := TKMSEncryptRequest.Create('alias/MyApp', 'My secret...');
    EncryptResponse := KMS.Encrypt(EncryptRequest);

    // Decrypt the ciphertext.
    DecryptRequest := TKMSDecryptRequest.Create(EncryptResponse.CiphertextBlob);
    DecryptResponse := KMS.Decrypt(DecryptRequest);

    DecryptedText := TStringStream.Create;
    try
      DecryptedText.CopyFrom(DecryptResponse.Plaintext);
      Writeln(Format('Decrypted: "%s"', [DecryptedText.DataString]));
    finally
      DecryptedText.Free;
    end;
  except
    on E: EKMSException do
      Writeln(E.ClassName, ': ', E.Message);
  end;
end.

Keys can be created with CreateKey and given friendly names with CreateAlias.

Key Management Features

AWS KMS provides the following key management operations:

• Keys can be managed with the ListKeys, DescribeKey, CreateKey, UpdateKeyDescription, ScheduleKeyDeletion, and CancelKeyDeletion.
• Keys can be disabled/enabled with DisableKey and EnableKey.
• ListResourceTags, TagResource, and UntagResource allow you to tag KMS keys for identification, automation, and cost tracking. Tags can also be used to control access with key policy.
• ListAliases, CreateAlias, UpdateAlias, and DeleteAlias can be used to create and manage friendly names for AWS KMS keys. Aliases can also be used to control access to associated AWS KMS keys.
• Key material rotation can be disabled/enabled with DisableKeyRotation and EnableKeyRotation.

Cryptographic Operations

AWS KMS provides a simple interface to access cryptographic functionality:

• Encrypt, Decrypt and ReEncrypt data.
• Sign and Verify digital signatures.
• GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyWithoutPlaintext, and GenerateDataKeyPairWithoutPlaintext can be used to generate exportable symmetric data keys and asymmetric data key pairs for use outside of AWS services.
• GenerateMac and VerifyMac can be used to generate and verify Hash-based Message Authentication Codes (HMAC).
• GenerateRandom can generate random values suitable for use in cryptographic applications.

Advanced Features of AWS KMS

• Multi-region keys can be created to provide access to the same KMS keys across AWS regions.
• Cryptographic material can be imported into AWS KMS keys and managed with GetParametersForImport, ImportKeyMaterial, and DeleteImportedKeyMaterial.
• Create KMS keys in custom key stores backed by AWS CloudHSM clusters.