Symmetric Key Envelope Encryption
Reference: How the AWS Encryption SDK Works
Create an AWS KMS Customer Managed Encryption KeyCreate a KMS customer master key for Xplenty encryption and decryption following this AWS guide.
Add Xplenty’s AWS Account to the Customer Managed Key
099517174445in the KMS Key Administrators page. This gives Xplenty permission to call your KMS for this customer managed key’s data key. The KMS key policy can give further fine grain control of Xplenty’s permissions, as an example, Xplenty might be given permission to encrypt data but never decrypt data (by removing
“kms:Decrypt”from the key policy actions).
c. Store your key’s ARN from the KMS customer managed keys page as this will be needed later when calling Xplenty’s Encrypt and Decrypt functions.