Step 1: Create the Key Store
AWS KMS provides the root of the key hierarchy. The KMS key (Key Encryption Key / KEK) wraps and unwraps the Data Encryption Keys (DEKs) that protect individual TDF files. The KEK itself never leaves the KMS hardware security module.
Why KMS?
- Hardware-backed: Keys stored in FIPS 140-3 Level 3 validated HSMs
- Audit logged: Every use of the key is recorded in CloudTrail
- Access controlled: Key policies define exactly which IAM roles can use the key
- Rotation: Automatic annual key rotation available
This mirrors the hardware security modules used in defence environments for key management.
Create the KMS key
- Go to KMS Console: https://console.aws.amazon.com/kms
- Click Create key
- Key type: Symmetric
- Key usage: Encrypt and decrypt
- Click Next
- Alias:
dcs-level3-kas-kek - Description:
Key Encryption Key for DCS Level 3 KAS - wraps TDF Data Encryption Keys - Click Next
- Key administrators: Select your IAM user/role
- Click Next
- Key usage permissions: Select your IAM user/role for now. We'll add the ECS task role in the next step.
- Click Next > Finish
Note the Key ID
Copy the Key ID from the key details page (a UUID like 12345678-abcd-1234-efgh-123456789012). You'll need this when configuring the OpenTDF platform.
The key hierarchy
Each TDF file gets its own unique DEK. The DEK is generated by the OpenTDF CLI, used to encrypt the data payload (AES-256-GCM), then wrapped by KMS. The wrapped DEK is stored in the TDF manifest. To decrypt, the KAS sends the wrapped DEK to KMS for unwrapping, but only after verifying the user's attributes against the data's policy.