Moving KMS encrypted resources between regions

  1. Create a snapshot of the resources
  2. While move it between region define new region KMS key

Types of CMK

  1. Symmetric (AES-256): Use single key for encryption and decryption
  2. Asymmetric (RSA): Use key pairs, public key and private key. Public key for encryption and private key for decryption operation. Encryption is being happened from outside of the AWS.

Envelope Encryption

Envelope Encryption Local Encryption Usage

In local environment, when a data is encrypted using a key, the data is protected. But we also need to encrypt the encryption key. We can encrypt the encryption key using another master key, called Master Key or CMK (Customer Master Key). This CMK is stored in the KMS and never leave the KMS. To use this CMK we must call the KMS api.

To encrypt the local data,

To decrypt local data