NavigationContentFooter
Jump toSuggest an edit
Was this page helpful?

Encrypting and decrypting data with a Key Manager data encryption key

Reviewed on 06 February 2025Published on 06 February 2025

This page shows you how to encrypt and decrypt data using your Key Manager data encryption key and Tink.

Before you startLink to this anchor

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • Created a key encryption key either from the Scaleway console or the Key Manager API
  • Retrieved your key encryption key’s ID
  • A valid API key
  • Downloaded and configured the Scaleway CLI
  • Dowloaded and installed Go
  • Created a Key Manager data encryption key
  • Created and retrieved the ID your Key Manager key

Configuring your environment variablesLink to this anchor

Open a terminal and paste the following command to export your environment variables. Make sure that you replace the placeholder values with your own.

    export SCW_ACCESS_KEY="<access-key>"
    export SCW_SECRET_KEY="<secret-key>"
    export SCW_DEFAULT_ORGANIZATION_ID="<organization-id>"
    export SCW_PROJECT_ID="<project-id>"
    export SCW_DEFAULT_REGION="<region>"
    export SCW_API_URL="<api-url>"
    export SCW_KM_KEY_ID="<key-id>"

Using the Go Tink providerLink to this anchor

  1. Set up Tink.

    Note

    The Tink library for Go is a cryptographic library that simplifies encryption, decryption, and key management operations.

  2. Create a test.go file in your Go project.

  3. Copy and paste the following code in your test.go file.

    package main
    import (
        "fmt"
        "github.com/scaleway/tink-go-scwkms/integration/scwkms"
        "github.com/tink-crypto/tink-go/v2/aead"
        "log"
        "os"
    )
    func main() {
        const keyURIPrefix = "scw-kms://regions/<region>/keys/"
        keyURI := keyURIPrefix + os.Getenv("SCW_KMS_KEY_ID")
        client, err := scwkms.NewClient(keyURIPrefix)
        if err != nil {
            log.Fatal(err)
        }
        kekAEAD, err := client.GetAEAD(keyURI)
        if err != nil {
            log.Fatal(err)
        }
        // Get the Key Manager envelope AEAD primitive.
        dekTemplate := aead.AES256GCMKeyTemplate()
        primitive := aead.NewKMSEnvelopeAEAD2(dekTemplate, kekAEAD)
        if err != nil {
            log.Fatal(err)
        }
        // Use the primitive.
        plaintext := []byte("message")
        associatedData := []byte("example KMS envelope AEAD encryption")
        ciphertext, err := primitive.Encrypt(plaintext, associatedData)
        if err != nil {
            log.Fatal(err)
        }
        fmt.Printf("Plaintext: %s\n", plaintext)
        fmt.Printf("Ciphertext (base64): %s\n", ciphertext)
        decryptedCiphertext, err := primitive.Decrypt(ciphertext, associatedData)
        if err != nil {
            log.Fatal(err)
        }
        fmt.Printf("Decrypted ciphertext: %s\n", decryptedCiphertext)
    }

  4. Replace <region> with the region where your key is located and save your changes.

  5. Run your code:

    go run test.go

Manually encrypt and decrypt data with a Key Manager DEKLink to this anchor

OpenSSL overviewLink to this anchor

OpenSSL is a software library for secure communication over computer networks. It is widely used for cryptographic functions.

To decrypt or encrypt your data using OpenSSL, you need to send your encrypted DEK to Key Manager using the Decrypt data operation.

Scaleway Key Manager then uses your key encryption key (KEK) to decrypt the encrypted DEK, returning it to its plaintext (unencrypted) form, which you can then use to decrypt your actual data.

Important
  • We do not recommend using OpenSSL in a production environment.
  • You should never save the plaintext DEK on disk or any permanent storage, as it poses a security risk.

Encrypting data with OpenSSLLink to this anchor

To encrypt your data using OpenSSl, you need to:

  1. Decrypt your encrypted DEK using your Key Manager key (key encryption key).

  2. Create a plaintext.txt file in which you will paste your plaintext data.

  3. Encrypt the content of plaintext.txt using OpenSSL and the AES-256-CBC cipher encryption algorithm.

  4. Open a terminal and paste the following command to perform the actions described above. Make sure that you replace <kek_id> and <my_encrypted_data_key> with the relevant values.

    # Decrypt the encrypted DEK using scw key decrypt
    decrypted_data_key=$(scw keymanager key decrypt key-id=<kek_id> ciphertext=<my_encrypted_data_key> | awk '$1 == "Plaintext" {print $2}' | base64 -d)
    # Put your data plaintext into a .txt file
    echo -n "Your plaintext here" > plaintext.txt
    # Encrypt your file using OpenSSL and AES-256-CBC
    openssl enc -aes-256-cbc -in plaintext.txt -out encrypted.bin -K $(echo -n "$decrypted_data_key" | hexdump -ve '/1 "%02x"') -iv 0 -nosalt -p
    # Remove the plaintext data
    rm plaintext.txt

Decrypting data with OpenSSLLink to this anchor

To decrypt your encrypted data using OpenSSL, you need to:

  1. Decrypt your encrypted DEK using your Key Manager key (key encryption key).

  2. Decrypt the content of encrypted.bin which contains your encrypted data, using OpenSSL and the AES-256-CBC cipher encryption algorithm.

  3. Open a terminal and paste the following command to perform the actions described above. Make sure that you replace <kek_id> and <my_encrypted_data_key> with the relevant values.

        # Decrypt the encrypted DEK using scw key decrypt
        decrypted_data_key=$(scw keymanager key decrypt key-id=<kek_id> ciphertext=<my_encrypted_data_key> | awk '$1 == "Plaintext" {print $2}' | base64 -d)
        # Decrypt your data using OpenSSL and AES-256-CBC
        openssl enc -aes-256-cbc -d -in encrypted.bin -out decrypted.bin -K $(echo -n "$decrypted_data_key" | hexdump -ve '/1 "%02x"') -iv 0 -nosalt -p
Tip

If you do not wish to use OpenSSL to encrypt and decrypt your data encryption key, you can do it manually using the procedure below, which follows best practices.

Encrypting a DEK manuallyLink to this anchor

  1. Create one data encryption key for each plaintext you want to encrypt.

    Tip

    This ensures that each encryption operation uses a unique encryption key, enhancing security.

  2. Use your newly created DEK to encrypt the desired plaintext securely.

    Note

    We recommend using standard and well-established ciphers, such as AES (Advanced Encryption Standard), to perform the encryption operation.

  3. After encrypting the plaintext using your DEK, concatenate the encrypted DEK with the resulting ciphertext. This ensures that the encrypted DEK is securely associated with the corresponding ciphertext for decryption.

Decrypting a DEK manuallyLink to this anchor

  1. Extract the encrypted DEK from the ciphertext.

    Note

    Extracting an encrypted DEK from the ciphertext means that we are separating the encrypted DEK from the ciphertext.

  2. Decrypt the encrypted DEK using your Key manager key (key encryption key).

  3. Use the resulting DEK’s plaintext to decrypt the ciphertext.

    Note

    Use the same cryptographic algorithm and decryption mechanism as the ones you used during the encryption process.

  4. Delete the plaintext DEK from permanent storage after using it to enhance security.

Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2025 – Scaleway