Skip to content

Instantly share code, notes, and snippets.


Paul Pieralde pmp

View GitHub Profile
pmp /
Last active Aug 4, 2017

Keybase proof

I hereby claim:

  • I am pmp on github.
  • I am pmp ( on keybase.
  • I have a public key ASATjLLRyqehUkK0Ka50O0i3TvqUztMWFAHhmKvZVm35XQo

To claim this, I am signing this object:

pmp /
Last active Aug 31, 2020
Envelope Encryption using AWS KMS, Python Boto, and PyCrypto.

If you use Amazon AWS for nearly anything, then you are probably familiar with KMS, the Amazon Key Management Service.

KMS is a service which allows API-level access to cryptographic primitives without the expense and complexity of a full-fledged HSM or CloudHSM implementation. There are trade-offs in that the key material does reside on servers rather than tamper-proof devices, but these risks should be acceptable to a wide range of customers based on the care Amazon has put into the product. You should perform your own diligence on whether KMS is appropriate for your environment. If the security profile is not adequate, you should consider a stronger product such as CloudHSM or managing your own HSM solutions.

The goal here is to provide some introductory code on how to perform envelope encrypt a message using the AWS KMS API.

KMS allows you to encrypt messages of up to 4kb in size directly using the encrypt()/decrypt() API. To exceed these limitations, you must use a technique called "envelope encryptio

You can’t perform that action at this time.