Using KMS envelope encryption with keys from different AWS partitions

[ohadbenita]

Hi,

I have a use case for a migration between two different AWS partitions. I've been wondering whether it'd be possible to envelope encrypt our secrets with two data keys from two different AWS partitions.

Thanks.

[mattsb42-aws]

Absolutely! The partition is included in the CMK ARN, so on decryption the keyring (or master key provider) can figure out what KMS region can decrypt the encrypted data key. So if you encrypt an ESDK message under, say, a CMK in us-west-2 and a CMK in cn-north-1, you could decrypt independently with either.

There are two wrinkles here, though.

The first is that because principals, and thus credentials, only work within a single partition, you will need to make sure that the client or credentials that you provide are valid for the specific partition in question.

The second is that on encryption you will need to communicate with both partitions, just as you would for multiple regions in the same partition, so you will need to construct a more complex keyring (or master key provider) that has children that can talk to both partitions.

[acioc]

Resolving per answer above. Please re-open this issue (or create a new one) if there are additional questions or you would like us to dive a bit deeper into anything.