Wilson Mar bio photo

Wilson Mar


Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

How to store and send files securely

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Cyrillic Russian   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


There is now a way to safely store files in encrypted format and transmit files privately over “hostile” public internet lines.

That’s good news amidst so much bad news about websites being hacked and private credentials stolen. It is now well-known that public wi-fi enables others to listen in to what you send.

Each cloud service (AWS with Azure with GCP, etc.) has its own mechanisms.

Qwiklabs.com: Introduction to AWS Key Management Service (free) provides hands-on instructions on these procedures:

  1. Create an Encryption Key
  2. Create an S3 bucket with CloudTrail logging functions
  3. Use an encryption key to encrypt data stored in a S3 bucket
  4. Monitor encryption key usage using CloudTrail
  5. Manage encryption keys for users and roles

Generate secret keys using AWS KMS

The below describes the manual way using a GUI. There is also an API

PROTIP: Use a separate Data key for different datasets.

  1. Use an internet browser to get on the AWS Management Console:


  2. Select your region.
  3. Enter Key Management Service (KMS).


    Notice the service is to securely ???

    Private CMK (Customer Master Keys) are created in KMS and remain there.

  4. Upon entry, there is a left menu:

    • AWS-managed keys
    • Customer-managed keys (symmetric or asymmetric)
    • Customer key stores

    “Create a key” on the splash screen can also be invoked within the “Customer managed keys” menu item.

    Create a KMS key

    AWS creates a Default master key that protects the data of each service (such as Cloud9) when no other key is defined.

  5. Click “Create Key”.

  6. Click “Advanced options” to view “Key material origin”. Read the KMS docs at


    WARNING: Using AWS Cloud HSM cluster incurs an hourly fee. And AWS has no visibility or access to encryption keys in HSM.

  7. On the configuration page, configure keys: click symmetric.

    Symmetric keys are like a password, a single encryption key that is used for both encrypt and decrypt operations, 256-bit.

    Asymmetric keys are RSA or elliptic curve (ECC) public/private key pairs used encrypt/decrypt or sign/verify operations

  8. On the Add Labels page, type in an Alias and Description. Next.

    PROTIP: Define aliases to differentiate keys within the account.

    PROTIP: Establish a convention for naming keys for all departments, projects, etc.

    Each key has an Alias and Key ID, which are GUIDs with dashes, and enabled.

  9. On the Define key administrative permissions, select the user or role you’re signed into the Console with.

    Advanced Options: Key material origins: KMS, External, Customer key store (CloudHSM):

    • KMS are validated to FIPS 140-2 level 2, China region does not suppor asymmetric keys
    • CloudHSM are validated to FIPS 140-2 level 3, keys and hardware exclusive to customer, either symmetric or asymmetric

Encrypt AWS Network in transit

GUI demo [3:05] AWS Networking Deep Dive: Virtual Private Cloud (VPC) 8 Aug 2019 by Ben Piper

Transport layer: Amazon S2N (Signal-to-Noise), AWS-managed VPN, AWS-client VPN, AWS VPN cloud hub, third-party VPN tunnel.

To create VPC : Customer Gateway : VPN Site-to-site IPSEC

  1. In AWS Console, select VPC in search bar or link.
  2. Customer Gateway menu, Create Customer Gateway
  3. Type Name, Select Routing, IP Address of firewall in front of network,

    You can leave blank Certificate ARN, Device.

  4. Virtual Private Gateways on left menu. Create VPC Gateway. Type name.


  5. Attach (explictly) in Actions drop-down.

  6. Site-to-Site VPN Connection in left menu to Create VPN Connection.
  7. Type Name tag, Virtual Private Gateway
  8. Add Another Rule. Type IP prefix (“192.68”)

    Customer Gateway and Tunnel Options can be left as is.

  9. Download configuration. In pop-up select Vendor (“Openwan”), Platform, Software.
  10. Upload configuration file to firewall.

  11. Route Tables in left menu to Edit Routes.
  12. Type Destination IP & Target of on-premise network. Add route.

Generate secret key using AWS KMS

AWS KMS uses the AWS Encryption SDK of cryptographic algorithms.

VIDEO: AWS re_Infoce 2019: Achieving Security Goals with AWS CloudHSM

CMK + Encryption algorithm yields the Plaintext key and Encrypted key.

Plaintext key + Data are fed into the Encryption algorithm yields Encrypted data.

Encrypted key + CMK fed into Decryption algorithm yields Plaintext key.


VIDEO: AWS re_Infoce 2019: How Encryption Works in AWS

VIDEO: AWS re_Infoce 2019

Build and Monitor Security into Your Golden AMI Pipeline

Introduction to AWS Services by the AWS Training Center Jun 9, 2019 [38:53] is highly rated introduction

More on Security

This is one of a series on Security in DevSecOps:

  1. Git Signing
  2. Hashicorp Vault

  3. WebGoat known insecure PHP app and vulnerability scanners
  4. Test for OWASP using ZAP on the Broken Web App

  5. Encrypt all the things

  6. AWS Security (certification exam)
  7. AWS IAM (Identity and Access Management)

  8. Cyber Security
  9. Security certifications