How to use AWS KMS for encryption/decryption of data

Reading Time: 3 minutes

Hello Readers! In this blog we are going to see how we can use AWS KMS for encryption/decryption of data. Before this we will see what AWS KMS service is and why to use this service. So, AWS KMS key is a fully managed service provided by AWS used for encrypting and decrypting any file or data.  What we do is we send our data to KMS and KMS is going to encrypt the data with your own managed keys or amazon managed keys. And It converts it to encrypted text and gives it back to you. 

Here in this blog I will show you how you can do this easily by using AWS CLI. For this we have to first create our own KMS key. Use the following command to create:

$ aws kms create-key
create key

It will create a key for you and attach default policies to the key. And I have set this keyID in a variable.

Set your alias for the key:
$ aws kms create-alias –alias-name “alias/my-kms” –target-key-id “a80eda85-d3f9-48e9-99aa-a9c88067c9b6”

We can find our key in AWS Console:

Encryption of Data using AWS KMS:

Here is my simple text.txt file which I want to use for encryption and decryption.


Use the following command for encrypting your file:

$ aws kms encrypt --key-id "alias/my-kms" --plaintext fileb://text.txt --output text --query CiphertextBlob | base64 --decode > encrypted_test_file
encrypt data

It created a file named encrypted_test_file and saved encrypted data to that file.

So, my file is successfully encrypted and secure now.

Decryption of Data using AWS KMS:

Use the following command for decrypting your encrypted file:

 $  aws kms decrypt --ciphertext-blob fileb://encrypted_test_file --output text --query Plaintext | base64 --decode > decrypted_test_file.txt
decrypt data

Now your original file is back with human readable format. It had created a new file with a decrypted_test_file.txt name. Inside this you will find your original content as you can see above.

For your satisfaction you can compare your original file and decrypted file. Is it the same or not? 

Use this command for comparing:

$ diff decrypted_test_file.txt text.txt 

I found the same!!!

Deleting AWS KMS Key:

Use the following command for deleting AWS KMS key using aws cli:

$ aws kms schedule-key-deletion --key-id "a80eda85-d3f9-48e9-99aa-a9c88067c9b6"
delete AWS KMS

You can view this in console also:

delete AWS KMS

So, this was all about encryption and decryption using AWS KMS.


Thank you for sticking to the end. In this blog we came to know all about AWS KMS service. We have seen how easily we can use AWS KMS for encryption/decryption of data. If you like this blog, please do show your appreciation by giving thumbs ups and share this blog and give me suggestions on how I can improve my future posts to suit your needs.


Written by 

Naincy Kumari is a DevOps Consultant at Knoldus Inc. She is always ready to learn new technologies and tools. She loves painting and dancing.