Repository files navigation

The AWS Encryption SDK for Python provides a fully compliant, native Python implementation of theAWS Encryption SDK.

The latest full documentation can be found atRead the Docs.

Find us onGitHub.

Security issue notifications

SeeSupport Policy for details on the current support status of all major versions of this library.

• Python 3.8+
• cryptography >= 3.4.6
• boto3 >= 1.10.0
• attrs

• aws-cryptographic-material-providers: == 1.11.0

  • Requires Python 3.11+.

$ pip install "aws-encryption-sdk[MPL]"

The [MPL] suffix also installs theAWS Cryptographic Material Providers Library (MPL).This is a library that contains constructs for encrypting and decrypting your data.We highly recommend installing the MPL.However, if you do not wish to install the MPL, omit the [MPL] suffix.

There are three main concepts that you need to understand to use this library:

Data keys are the encryption keys that are used to encrypt your data. If your algorithm suiteuses a key derivation function, the data key is used to generate the key that directly encrypts the data.

Keyrings are resources that generate, encrypt, and decrypt data keys.You specify a keyring when encrypting and the same or a different keyring when decrypting.

Note: You must also install theAWS Cryptographic Material Providers Library (MPL) to create and use keyrings.

For more information, see theAWS Documentation for Keyrings.

Cryptographic materials managers (CMMs) are resources that collect cryptographic materials and prepare them foruse by the Encryption SDK core logic.

An example of a CMM is the default CMM,which is automatically generated anywhere a caller provides a keyring.

Note: You must also install theAWS Cryptographic Material Providers Library (MPL)to create and use CMMs that use keyrings.CMMs that use master key providers have been marked as legacy since v4 of this library.

This section describes legacy concepts introduced in earlier versions of this library.These components have been superseded by new components in theAWS Cryptographic Material Providers Library (MPL).Please avoid using these components, and instead use components in the MPL.

Master key providers are resources that provide master keys.

To encrypt data in this client, aMasterKeyProvider object must contain at least oneMasterKey object.

MasterKeyProvider objects can also contain otherMasterKeyProvider objects.

NOTE: Master key providers are legacy componentsand have been superseded by keyringsprovided by theAWS Cryptographic Material Providers Library (MPL).Please install this library and migrate master key providers to keyring interfaces.

Master keys generate, encrypt, and decrypt data keys.An example of a master key is anAWS KMS key.

NOTE: Master keys are legacy constructsand have been superseded by keyringsprovided by theAWS Cryptographic Material Providers Library (MPL).Please install this library and migrate master key providers to keyring interfaces.

To use this module, you (the caller) must first create an instance of theEncryptionSDKClient class.The constructor to this class accepts an optional keyword argument,commitment_policy, that controlswhich algorithm suites can be used for encryption and decryption. If no valueis provided for this argument, a default value ofREQUIRE_ENCRYPT_REQUIRE_DECRYPT is used. Unlessyou have specialized performance requirements or are in the process of migrating from an olderversion of the AWS Encryption SDK, we recommend using the default value.

importaws_encryption_sdkfromaws_encryption_sdk.identifiersimportCommitmentPolicyclient=aws_encryption_sdk.EncryptionSDKClient(commitment_policy=CommitmentPolicy.REQUIRE_ENCRYPT_REQUIRE_DECRYPT)

You must then create an instance of either a keyring (with the MPL installed) or a CMM.Note: You must also install theAWS Cryptographic Material Providers Library (MPL) to use keyrings.(You may also provide an instance of a legacy master key provider, but this is not recommended.)

AnAwsKmsMultiKeyring is configured with a generator keyring and a list ofchild keyrings of typeAwsKmsKeyring. The effect is like using several keyringsin a series. When you use a multi-keyring to encrypt data, any of the wrapping keysin any of its keyrings can decrypt that data.

On encryption, the generator keyring generates and encrypts the plaintext data key.Then, all of the wrapping keys in all of the child keyrings encrypt the same plaintext data key.The finalencrypted message will include a copy of the data key encrypted by each configured key.On decryption, the AWS Encryption SDK uses the keyrings to try to decrypt one of the encrypted data keys.The keyrings are called in the order that they are specified in the multi-keyring.Processing stops as soon as any key in any keyring can decrypt an encrypted data key.

An individualAwsKmsKeyring in anAwsKmsMultiKeyring is configured with anAWS KMS key ARN.For keyrings that will only be used for encryption,you can use any validKMS key identifier.For providers that will be used for decryption,you must use the key ARN.Key ids, alias names, and alias ARNs are not supported for decryption.

Because theAwsKmsMultiKeyring uses theboto3 SDK to interact withAWS KMS,it requires AWS Credentials.To provide these credentials, use thestandard means by which boto3 locates credentials or provide apre-existing instance of abotocore session to theAwsKmsMultiKeyring.This latter option can be useful if you have an alternate way to store your AWS credentials oryou want to reuse an existing instance of a botocore session in order to decrease startup costs.You can also add KMS keys from multiple regions to theAwsKmsMultiKeyring.

Seeexamples/src/aws_kms_multi_keyring_example.py for a code example configuring and usingaAwsKmsMultiKeyring with theEncryptionSDKClient.

We recommend using anAwsKmsMultiKeyring in order to ensure that you can onlyencrypt and decrypt data using the AWS KMS key ARN you expect. However, if you are unable toexplicitly identify the AWS KMS key ARNs that should be used for decryption, you can insteaduse anAwsKmsDiscoveryKeyring for decryption operations. This providerattempts decryption of any ciphertexts as long as they match aDiscoveryFilter thatyou configure. ADiscoveryFilter consists of a list of AWS account ids and an AWSpartition.If you do not want to filter the set of allowed accounts, you can also omit thediscovery_filter argument.

Note that anAwsKmsDiscoveryKeyring cannot be used for encryption operations.

Seeexamples/src/aws_kms_discovery_keyring_example.py for a code example configuring and usinganAwsKmsDiscoveryKeyring with theEncryptionSDKClient.

After you create an instance of anEncryptionSDKClient and aKeyring, you can usethe client'sencrypt anddecrypt functions to encrypt and decrypt your data.

You can also provide anencryption context: a form of additional authenticating information.

See code in theexamples/src/ directory for code examples configuring and usingkeyrings and encryption context with theEncryptionSDKClient.

If you are handling large files or simply do not want to put the entire plaintext or ciphertext inmemory at once, you can use this library's streaming clients directly. The streaming clients arefile-like objects, and behave exactly as you would expect a Python file object to behave,offering context manager and iteration support.

Seeexamples/src/file_streaming_example.py for a code example streaming data to and from files.

Adjusting the frame size can significantly improve the performance of encrypt/decrypt operations with this library.

Processing each frame in a framed message involves a certain amount of overhead. If you are encrypting a large file,increasing the frame size can offer potentially significant performance gains. We recommend that you tune these valuesto your use-case in order to obtain peak performance.

TheEncryptionSDKClient and all providedCryptoMaterialsManager in this library are thread safe.But instances ofBaseKMSMasterKeyProvider MUST not be shared between threads,for the reasons outlined inthe boto3 docs.

Because theBaseKMSMaterKeyProvider creates anew boto3 sessions per region,users do not need to create a client for every region in every thread;a newBaseKMSMasterKeyProvider per thread is sufficient.

(TheBaseKMSMasterKeyProvider is the internal parent class of all the KMS Providers.)

Finally, while theCryptoMaterialsCache is thread safe,sharing entries in that cache across threads needs to be done carefully(see the !Note about partition namein the API Docs).

Important: Components from theAWS Cryptographic Material Providers Library (MPL)have separate thread safety considerations.For more information, see the note on thread safety in that project'sREADME.