AWS KMS Encryption - Limits of Data Size

Question

I am trying to encrypt a large XML payload using AWS KMS Encryption SDK. I came across this link which states that there is a limit on bytes of data that can be encrypted

You can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data such as an RSA key, a database password, or other sensitive information.

Does KMS not support encryption of data that is more than 4 KB? Is there a workaround to handle data of size more than 4 KB?

Answer 1

You are using the CMK to encrypt/decrypt your data which is not what you should be using it for. The CMK is limited to encrypting up to 4k data because it is meant to create and encrypt/decrypt the data key. Once you’ve created this data key you then use it to encrypt your data without the use of AWS KMS. You could use OpenSSL with the data key and this process is not dependent on KMS. Keep in mind that you have to handle the data key very carefully and best practice is once you've used it to encrypt data, you must encrypt that data key using KMS then store that encrypted key (as metadata) along with the encrypted data. The process of decrypting the data will start with you using KMS to decrypt the data key then using OpenSSL for example to use the decrypted data key as the key to decrypt your data(XML Payload).