Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save rocky0001/2e69651ac2141ac81d5a9e71355d90ae to your computer and use it in GitHub Desktop.
Save rocky0001/2e69651ac2141ac81d5a9e71355d90ae to your computer and use it in GitHub Desktop.
golang encyrpt, decrypt key with kms
The code below shows how to encrypt and then decrypt some plaintext into a cyphertext using
KMS's Encrypt/Decrypt functions and secretbox (
The plaintext message is sealed into a secretbox using a key that is generated by kmsClient.GenerateDataKey().
Note that this procedure reuquires that a master key would *already exist in KMS* and that its arn/alias is specified.
The aws library assumes that the proper credentials can be found in the shared file (~/.aws/credentials)
and opts for the 'default' role.
Once sealed, the cyphertext is then unboxed, again by first getting the key from kms (kmsClient.Decrypt),
and then using that to decypher the text (secretbox.Open(..))
Note that that the kms keyname isn't specified on Decrypt. I guess that the ciphertext contains some meta regarding
which key should be used to decrypt.
package main
import (
const (
kmsKeyName = "tempKey" //must already exist in kms
func main() {
r := strings.NewReader("Go is a general-purpose language designed with systems programming in mind.")
plaintext, err := ioutil.ReadAll(r)
if err != nil {
fmt.Println("Plaintext: ", plaintext)
sess := session.Must(session.NewSession())
kmsClient := kms.New(sess, aws.NewConfig().WithRegion("us-east-1"))
// Encrypt plaintext
encrypted, err := Encrypt(kmsClient, plaintext) // <-- to be implemented
if err != nil {
fmt.Println("Encrypted: ", encrypted)
// Decrypt ciphertext
kmsClient = kms.New(sess, aws.NewConfig().WithRegion("us-east-1"))
decrypted, err := Decrypt(kmsClient, encrypted) // <-- to be implemented
if err != nil {
fmt.Println("Decrypted: ", decrypted)
const (
keyLength = 32
nonceLength = 24
type payload struct {
Key []byte
Nonce *[nonceLength]byte
Message []byte
func Encrypt(kmsClient *kms.KMS, plaintext []byte) ([]byte, error) {
// Generate data key
//provide either the key's arn OR its alias, as shown below:
//keyId := "arn:aws:kms:us-east-1:779993255822:key/bb1a147c-8600-4558-910d-8b841c8f7493"
keyId := "alias/" + kmsKeyName
keySpec := "AES_128"
dataKeyInput := kms.GenerateDataKeyInput{KeyId: &keyId, KeySpec: &keySpec}
dataKeyOutput, err := kmsClient.GenerateDataKey(&dataKeyInput)
if err == nil { // dataKeyOutput is now filled
} else {
fmt.Println("error: ", err)
// Initialize payload
p := &payload{
Key: dataKeyOutput.CiphertextBlob,
Nonce: &[nonceLength]byte{},
// Set nonce
if _, err = rand.Read(p.Nonce[:]); err != nil {
return nil, err
// Create key
key := &[keyLength]byte{}
copy(key[:], dataKeyOutput.Plaintext)
// Encrypt message
p.Message = secretbox.Seal(p.Message, plaintext, p.Nonce, key)
buf := &bytes.Buffer{}
if err := gob.NewEncoder(buf).Encode(p); err != nil {
return nil, err
return buf.Bytes(), nil
func Decrypt(kmsClient *kms.KMS, ciphertext []byte) ([]byte, error) {
// Decode ciphertext with gob
var p payload
//Decrypt a ciphertext that was previously encrypted.
//Note that we dont actually specify the key name.
//I guess the ciphertext already encodes it?
dataKeyOutput, err := kmsClient.Decrypt(&kms.DecryptInput{
CiphertextBlob: p.Key,
if err == nil { // dataKeyOutput is now filled
} else {
fmt.Println("error: ", err)
key := &[keyLength]byte{}
copy(key[:], dataKeyOutput.Plaintext)
// Decrypt message
var plaintext []byte
plaintext, ok := secretbox.Open(plaintext, p.Message, p.Nonce, key)
if !ok {
return nil, fmt.Errorf("Failed to open secretbox")
return plaintext, nil
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment