Creating an Data Encryption Key (DEK)
To create a Data Encryption Key:
- Log in to the AWS environment.
Navigate to Services.
A list of AWS services appears.
In Security, Identity, & Compliance, click Key Management Service.
The AWS Key Management Service (KMS) console opens. By default, the Customer managed keys screen appears.
Click Create key.
The Configure key screen appears.
In the Key type section, select the Asymmetric option to create a single customer master key that will be used to perform the encrypt and decrypt operations.
In the Key usage section, select the Encrypt and decrypt option.
In the Key spec section, select one option.
For example, select RSA_4096.
In the Advanced options section, select the Single-Region Key option.
Click Next.
The Add labels screen appears.
In the Alias field, specify the display name for the key, and then click Next.
The Review and edit key policy screen appears.
Click Finish.
The Customer managed keys screen appears, displaying the newly created customer master key.
Click the key alias.
A screen specifying the configuration for the selected key appears.
In the General Configuration section, copy the value specified in the ARN field, and save it on your local machine.
You need to attach the key to the KMSDecryptAccess policy. You also need to specify this ARN value in the command for creating a Kubernetes secret for the key.
Navigate to Services > IAM.
Click Policies.
The Policies screen appears.
Select the KMSDecryptAccess policy.
The Permissions tab appears.
Click Edit policy to edit the policy in JSON format.
Modify the policy to add the ARN of the key that you have copied in step 13 to the Resource parameter.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": [ "<ARN of the AWS Customer Master Key>" ] } ] }Click Review policy, and then click Save changes to save the changes to the policy.
Feedback
Was this page helpful?