我正在阅读 https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html 和 https://docs.aws.amazon.com/cli/latest/reference/kms/decrypt.html 中的 AWS 加密 cli 文档。我发现我无需创建数据 key 即可加密/解密。当我读取 https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html 时,它表示我需要使用 KMS CMK 生成用于加密我的数据的数据 key 。 所以我很困惑我是否需要数据 key ?
最佳答案
CMK 旨在加密/解密数据 key 。因此,直接调用加密函数时可以加密的明文数量限制为 4 KB。您可以通过传递大于 4 KB 的消息来轻松测试这一点。
These operations are designed to encrypt and decrypt data keys. They use an AWS KMS customer master key (CMK) in the encryption operations and they cannot accept more than 4 KB (4096 bytes) of data. Although you might use them to encrypt small amounts of data, such as a password or RSA key, they are not designed to encrypt application data.
关于amazon-web-services - 为什么AWS KMS加密/解密不需要数据 key ?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59877193/