Articles

KMS: Beyond the API Call

March 15, 2026 6 min read

A Key Management System (KMS) isn’t just about storing secrets; it’s the orchestrator of trust in a distributed system, determining who can access what and when by cryptographically binding identities to permissions.

Imagine you have a service, let’s call it data-processor, that needs to read encrypted data from data-storage. The data is encrypted using a key stored in KMS. data-processor itself doesn’t hold the key; it requests it from KMS. But KMS doesn’t just hand out keys. It first verifies data-processor’s identity. This is where things get interesting.

Here’s a simplified flow:

  1. data-processor needs to decrypt a blob. It makes an API call to KMS: KMS.decrypt(blob_id, encrypted_data).
  2. KMS receives the request. It checks data-processor’s credentials. This could be an IAM role, a service account, or a certificate.
  3. If authenticated, KMS checks its policy. Does the identity associated with data-processor have permission to decrypt data associated with blob_id using the relevant key?
  4. If authorized, KMS retrieves the master key, decrypts the data within KMS, and returns the plaintext data (or a temporary decryption token) back to data-processor. The master key itself never leaves KMS.

This isolation of the master key is the core principle. KMS acts as a Hardware Security Module (HSM) in software, or can even leverage physical HSMs for maximum security.

The Problem It Solves: The Secret Sprawl

Before KMS, developers often embedded encryption keys directly into application code, configuration files, or environment variables. This created a massive "secret sprawl."

  • Risk of Exposure: If any of these locations were compromised, all encrypted data would be exposed.
  • Key Rotation Nightmare: Manually rotating keys across hundreds or thousands of applications and data stores was a Herculean task, rarely done with the required frequency.
  • Auditing Chaos: Knowing who accessed which key and when was often impossible.

KMS centralizes key management, providing a single pane of glass for creation, rotation, deletion, and access control.

Internal Mechanics: The Master Key Hierarchy

At its heart, KMS uses a hierarchical approach to protect your data keys.

  1. Master Key (Customer Master Key - CMK): This is the root key. It’s never used to encrypt your actual data. Instead, it’s used to encrypt your data keys. CMKs can be managed by KMS or backed by your own HSMs.
  2. Data Key: When you want to encrypt a large piece of data (like a file), you ask KMS to generate a data key. KMS generates a unique symmetric key (e.g., AES-256) for this purpose.
  3. Encrypted Data Key: KMS then encrypts this data key using your CMK.
  4. Storage: You store the encrypted data key alongside your actual data. Your actual data is encrypted using the plaintext data key.

When you need to decrypt, the process is reversed:

  1. You send the encrypted data key to KMS.
  2. KMS uses your CMK to decrypt the data key.
  3. KMS returns the plaintext data key to your application.
  4. Your application uses the plaintext data key to decrypt your actual data.

The critical point is that the plaintext data key is only in memory for the duration of the decryption operation and is never persisted. The CMK itself remains within KMS, never leaving its secure boundary.

Levers You Control

  • Key Policy: This is the most granular control. You define who (which IAM principal) can perform what actions (e.g., kms:Encrypt, kms:Decrypt, kms:GenerateDataKey) on which keys. Policies are JSON documents similar to IAM policies.
  • Key Rotation: You can enable automatic key rotation, where KMS automatically generates a new backing key for your CMK every year (or your chosen interval). Older versions of the key are retained for decrypting data encrypted with them.
  • Key Usage: You can specify if a key is intended for encryption/decryption or for signing/verification.
  • Key State: Keys can be enabled, disabled, or scheduled for deletion. A disabled key cannot be used for operations.

The One Thing Most People Don’t Grasp

The GenerateDataKey API call is often misunderstood. It returns three things: the plaintext data key, the data key encrypted under the CMK, and the ID of the CMK used. Your application needs to capture all three. The plaintext data key is used immediately to encrypt your actual data, and then that plaintext data key is discarded. The encrypted data key is what you persist alongside your data. If you only store the plaintext data key, you’ve defeated the purpose of KMS.

The next step in understanding KMS is exploring how it integrates with various services for automatic encryption of their data at rest.

Want structured learning?

Take the full Cryptography course →