08. AWS KMS Multi Region Keys 🔐 🌥 🎌

You can directly scroll down for the Youtube Video and Instructions used in the video are provided at the end of this article.

I talked briefly about KMS and KMS envelope encryption in the previous blog. So if you are new to KMS please do check that blog and the demo video out.

In June 2021, AWS released one of its most awaited feature for AWS KMS. Multi region keys. Essentially you can take the encrypted data from one region and decrypt it in another region without accessing the original AWS region’s KMS endpoint.

Previously if you had a requirment to have your DR (Disaster Recovery) in another region - as most organizations do, these were your options with the KMS encrypted data -

Option - 1

  1. Decrypt it in the source region
  2. Reencrypt with the destination region key
  3. Copy data to destination region.


Option - 2

  1. Copy encrypted data to destination region.
  2. Decrypt it in the destination region using KMS’s endpoint in the source region
  3. Reencrypt with the destination region key

Both options are cumbersome and in fact option 2 is not really representing a true DR setup as you are still dependent on the source region for your decryption operations.

With AWS KMS Multi Region keys this entire process is super easy

  1. Create Multi region key
  2. Create a key replica in desitnation region
  3. Copy encrypted data from source region to destination
  4. Decrypt using the replica key from within the destination region.

In the Youtube video below, I explain this and we also have a detailed demo of the Multi Region keys

The commands/instructions used in the demo are provided below as well.

DEMO | AWS KMS | Multi-Region Keys

Please watch in full screen or on youtube directly

Linux / Mac / Windows (run with git bash) -

# create our file
echo "Hello from Mumbai, India" > secret_message.txt

# encrypt using region-1 endpoint - just to check if the key is set up correctly
aws kms encrypt --plaintext fileb://secret_message.txt --key-id <put-your-multi-region-key-id-here> --region ap-south-1

# encrypt again but this time wirte into a file
aws kms encrypt --plaintext fileb://secret_message.txt --key-id <put-your-multi-region-key-id-here> --region ap-south-1 --query CiphertextBlob --output text | base64 -di > secret_message.enc

# Validate
# you should have created the replica key in destination region before running following command
# I am using Singapore region viz. ap-south-1
aws kms decrypt --ciphertext-blob fileb://secret_message.enc --region ap-southeast-1

# Validate - Decrypt again and Decode
# In case of Linux and Mac use base64 -d instead of base64 -di
aws kms decrypt --ciphertext-blob fileb://secret_message.enc --query Plaintext --output text --region ap-southeast-1 | base64 -di

Also you can read more about multi region keys here

Thank you for reading through, Please share if it’s useful to someone.


comments powered by Disqus