[Question] en/decryptData with CryptoMaterialsManager is deprecated, how to migrate to non-deprecated?

[StiviiK]

EDIT: Original problem solved, single question still open - please see https://github.com/aws/aws-encryption-sdk-java/issues/2033#issuecomment-2076914120.

Problem:

I am trying to use the aws-encryption-sdk and followed the examples (which work fine), but the methods the examples are using are deprecated:

How can I migrate to the non-deprecated methods?

Source-Context:

[...]
 // Create a KMS master key provider
var masterKeyProvider = KmsMasterKeyProvider.builder()
        .buildStrict(kmsKeyId);

// Create a caching cryptographic materials manager
this.cachingMaterialsManager = CachingCryptoMaterialsManager.newBuilder()
        .withMasterKeyProvider(masterKeyProvider)
        .withCache(new LocalCryptoMaterialsCache(MAX_CACHE_ENTRIES))
        .withMaxAge(MAX_ENTRY_AGE_MILLISECONDS, TimeUnit.MILLISECONDS)
        .withMessageUseLimit(MAX_ENTRY_USES)
        .build();

[...]

var result = this.crypto.encryptData(
        this.cachingMaterialsManager,
        value.getBytes(StandardCharsets.UTF_8),
        new HashMap<>() // encryption context
);

[...]

// ToDO: Verify the encryption context
var result = this.crypto.decryptData(
        this.cachingMaterialsManager,
        encrypted
);

[marcindabrowski]

I think you have to use Keyrings as in the examples https://github.com/aws/aws-encryption-sdk-java/tree/master/src/examples/java/com/amazonaws/crypto/examples/keyrings.

[StiviiK]

I think you have to use Keyrings as in the examples https://github.com/aws/aws-encryption-sdk-java/tree/master/src/examples/java/com/amazonaws/crypto/examples/keyrings.

Interesting Idea, but it seems like this may be even older as it used the Java AWS SDK v1: import com.amazonaws.encryptionsdk.kms.....; vs. import com.amazonaws.encryptionsdk.kmssdkv2....;

For context, I basically followed: https://github.com/aws/aws-encryption-sdk-java/blob/master/src/examples/java/com/amazonaws/crypto/examples/v2/SimpleDataKeyCachingExample.java

[marcindabrowski]

Well, I think it is the new API. Those tests where added recently, and it is working for me. If you look into the API, only methods that uses keyring are not deprecated.

I think that version 3.0.0 is new, and documentation on Amazon site was not yet updated to point it.

[StiviiK]

You're right. But it can't figure out how to use caching using the Keyrings. ~Additionally the non-deprecated API accepts also ICryptographicMaterialsManager, but I can't figure out how to use that interface.~

[marcindabrowski]

I also don't know how to use the cache. But I think that somehow it is build in as default - i'm not sure, the code is somehow generated with Dafny. It have to be confirmed by someone from Amazon.

[StiviiK]

Thanks for your help, I have reimplemented it using Keyrings.

@repo-maintainers / amazon

I also don't know how to use the cache. But I think that somehow it is build in as default - i'm not sure, the code is somehow generated with Dafny. It have to be confirmed by someone from Amazon.

Could please somebody of you confirm / provide advise please?

[lucasmcdonald3]

Hi @StiviiK --

All new applications should use keyrings. The preferred caching solution for new applications using keyrings is to use the AWS KMS Hierarchical Keyring. This keyring caches intermediate branch key materials rather than data keys, improving caching performance.

Any applications that have already integrated with the caching cryptographic materials manager (CMM) are blocked from adopting keyrings until we (AWS Crypto Tools) release the caching CMM in the AWS Cryptographic Material Providers Library (MPL).

It looks like you are working on a new application, so I would suggest using the hierarchical keyring.

Let us know if you have further questions. Thanks, Lucas

[StiviiK]

@lucasmcdonald3 Awesome, thank you very much for your advice. I started implementing it using AWS KMS Hierarchical keyrings, but then another question came up for me.

Regarding Step 3, when do you recommend to create a new active branch key? We are basically building a Microservice Architecture with multiple REST APIs which encrypt/decrypt sensitive data on the fly.

[getaceres]

Hello. I'm trying to migrate an application from V2 to V3 and I have this problem too. I'm using a CachingCryptoMaterialsManager to minimize calls to KMS, since reusing the same key it's not a risk for us. I've read the documentation of the Hierarchical Keyring but it needs a DynamoDB table. However, our organization forbade us from using DynamoBD. ¿Is there a local implementation to replace the old CachingCryptoMaterialsManager just mantaining them in memory without any other dependency?

[seebees]

Regarding Step 3, when do you recommend to create a new active branch key?

@StiviiK This is a question for your threat model. That said, Versioning (really, rotating) Branch Keys yearly is a good default.

@getaceres We are planning on releasing the Caching CMM in the MPL. However until we do the native Caching CMM is supported.

I have cut https://github.com/aws/aws-cryptographic-material-providers-library/issues/354 to track support for other backing stores.