- Encryption:
-
- The client selects their object(s) to upload to S3 and indicates the encryption mechanism of SSE-KMS during this process with an associated customer master key (CMK).
- S3 responds by requesting data keys from KMS to allow S3 to encrypt the data submitted by the client.
- Using the CMK selected during step 1, The Key Management Service (KMS) will then generate two data keys—a plaintext data key and an encrypted version of that same data key.
-
- KMS will then send both of these keys back to S3 to allow S3 to perform the encryption.
- At this stage, S3 then encrypts the object data with the plaintext version of the data key and stores the resulting encrypted object alongside the encrypted version of the data key that was also received by KMS. The plaintext data key is then deleted from memory.
- Decryption:
-
- A user requests access to the encrypted object on S3 via a client.
- S3 is aware that the object is encrypted and has the encrypted data key that is associated with the object. S3 sends this encrypted data key back to KMS.
- On receipt of this encrypted data key, KMS uses the original CMK to decrypt the data key, thus generating a plaintext version of the data key.
- The plaintext data key is then returned to S3.
- Using the plaintext data key, the encrypted object data can then be decrypted, returning a plaintext version of the object data. Then, the plaintext data key is removed from memory with S3 one more.
- Finally, the plaintext object can then be sent back to the client who requested the object.
Similarly to SSE-S3, this process is also transparent to the end client, but again, they can only access the object if the required permissions are in place.