0

我想使用 AWS KMS 生成纯文本的 HMAC-SHA256 值。

这可以做到这一点并且无需旋转吗?因为,我只想使用一个键来散列所有纯文本。我对 AWS KMS 了解不多,如果可能的话,您能否分享一些关于使用 KMS 生成 HMAC 的资源。

4

1 回答 1

0

ASP.NET MVC 1 中的 AWS KMS 加密和解密
纯密钥:借助它,您可以加密数据并删除它(密钥)(无需保存在任何地方)。

2.encrypted data key :- you need to save this key to decrypt the data( to decrypt the data first you got plain key from aws using encrypted data key) and with the help of plain key you decrypt the data.

Note you need aws kms credentials like :-
a)serviceEndPoint b)awsKeyForKMS c)kmsConfig

Name space need to add from nuget package

using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model; 

**1) Encryption :-**
AmazonKeyManagementServiceConfig kmsConfig = new AmazonKeyManagementServiceConfig();
            kmsConfig.UseHttp = true;
            kmsConfig.ServiceURL = serviceEndPoint;           
                //create client, specify Region end point or kms config
                AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient(awsKeyForKMS, awsSecretKeyForKMS, kmsConfig);
                GenerateDataKeyRequest dataKeyReq = new GenerateDataKeyRequest();
                dataKeyReq.KeyId = keyARNForKMS;
                dataKeyReq.KeySpec = DataKeySpec.AES_256;//The length of the data encryption key. AES_256 to generate a 256-bit symmetric key.
                GenerateDataKeyResponse dataKeyResponse = kmsClient.GenerateDataKey(dataKeyReq);
                //read encrypted data key from memory
                MemoryStream streamCipherText = dataKeyResponse.CiphertextBlob;
               // need to save this key with encrypted data because with the help of it 
               // you can decrypt(you got plaindatakey) the data
                encryptedDataKey = Convert.ToBase64String(streamCipherText.ToArray());

                //read plain data key from memory
                MemoryStream streamPlainText = dataKeyResponse.Plaintext;
              // use this key to encrypt your data and than forgot this key
                plainDataKey = Convert.ToBase64String(streamPlainText.ToArray());    
               //your encryption logic
                Encryption encrypt = new Encryption();
                encrypt.EncryptTextForKms(PlainKey, "data to be encrypted")

**2.Decryption Data:-**

AmazonKeyManagementServiceConfig kmsConfig = new AmazonKeyManagementServiceConfig();
            kmsConfig.UseHttp = true;
            kmsConfig.ServiceURL = serviceEndPoint;
                //create client, specify Region end point or kms config
                AmazonKeyManagementServiceClient kmsClient = new AmazonKeyManagementServiceClient(awsKeyForKMS, awsSecretKeyForKMS, kmsConfig);
                DecryptRequest decryptRequest = new DecryptRequest();
// use hare above created encrypteddatakey to get plaindatakey
                MemoryStream streamEncryptedDataKey = new MemoryStream(Convert.FromBase64String(encryptedDataKey));//convert to stream object
                decryptRequest.CiphertextBlob = streamEncryptedDataKey;
                DecryptResponse decryptResp = kmsClient.Decrypt(decryptRequest);
                plainDataKey = Convert.ToBase64String(decryptResp.Plaintext.ToArray());
// your decryption logic
             DecryptTexts("encrypted data", PlainKey)
于 2021-03-26T19:13:42.743 回答