I'm using aws_encryption_sdk to encrypt and decrypt data. Once we hit an issue and our process stuck for ~24 hours. One of the hypotheses was that there was a problem with string value decryption, because of the significantly increased volume of data. I want to set a connection timeout and retry strategy.
Additional question: Does this SDK connect to AWS to get the key and then do the decryption on the client side or does it get the key using boto and then make another call to AWS with that key and the text to decrypt and the decryption happens on the server side?
I did some research but couldn't find anything.
AWS Encryption SDK uses "envelope encryption". Each ciphertext is encrypted with a randomly generated key. The data key is itself encrypted with the AWS KMS key (and/or with other keys) and the encrypted data key is stored with the ciphertext.
In terms of AWS KMS operations, this means that, when encrypting, the random key is sent to AWS KMS to be encrypted and an encrypted data key blob is returned. Conversely, when decrypting, the encrypted data key is sent to AWS KMS and the original data key is returned. The data key can then be used to decrypt the ciphertext.
So the payloads to/from AWS KMS are tiny: the 32 bit data key plus encryption context and the encrypted data key.
The client connects to AWS KMS only to encrypt/decrypt the data key. The data key is used by the client to encrypt/decrypt the actual message locally.