Implementing client-side encryption - MediaConvert
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Implementing client-side encryption

Client-side encryption is one of the three encryption options that you can use with AWS Elemental MediaConvert. With client-side encryption, you encrypt your input files before you upload them to Amazon S3.

You can use client-side encryption in conjunction with the other two options. The following illustration shows the three options.


        Three rectangles represent each of the three encryption options. The first,
          client-side encryption, is highlighted. The text reads as follows. Client-side encryption:
          Encrypt your content using open protocols before you upload your input files. Protects
          your input files in transit. Protects your input files at rest.

To use client-side encryption with AWS Elemental MediaConvert

  1. Use Amazon Key Management Service (Amazon KMS) to create a KMS key. For procedures, see Creating keys in the Amazon Key Management Service Developer Guide. For an overview, see Amazon Key Management Service concepts in the same guide.

  2. Create a data key to use to encrypt your content. Use the Amazon KMS Encrypt operation to encrypt the data key under your customer managed key. You must use this encryption context:

    "{\"service\" : \"mediaconvert.amazonaws.com\" }"

    You can create and encrypt your data key in one the following ways:

    • Create a data key using Amazon Key Management Service (Amazon KMS) by calling KMS GenerateDataKey. For the KeyId parameter, specify the Amazon Resource Name (ARN) of the KMS key that you created in the first step of this procedure. This operation returns a plaintext copy of the data key and a copy that is encrypted under the KMS key.

    • Use an encryption library, such as OpenSSL, to create an Advanced encryption standard (AES) key. Then, encrypt the key by calling Amazon KMS Encrypt. Include the KMS key that you created in the first step of this procedure as the KeyId when you make this call.

      For more information about creating an AES key using OpenSSL, see the OpenSSL documentation.

    For more information, see data keys in the Amazon Key Management Service concepts topic of the Amazon Key Management Service Developer Guide.

  3. Use the plaintext data key that you created in the preceding step to encrypt your content as follows:

    • Use one of the following AES encryption modes: CTR, CBC, or GCM.

    • Use a 16-byte initialization vector with any encryption mode. Or, use a 12-byte initialization vector with GCM or CTR.

    For more information about using OpenSSL, see the OpenSSL documentation.

    Note

    AWS Elemental MediaConvert doesn't support files encrypted by using the Amazon S3 encryption client.

  4. Specify AWS Elemental MediaConvert decryption settings for each encrypted input as follows:

    1. On the Create job page, in the Job pane on the left, choose an Input.

    2. In the Input section on the right, choose Decryption settings.

    3. For Decryption mode, choose the AES encryption mode that you used to encrypt your content in an earlier step of this procedure.

    4. For Encrypted data key, enter the encrypted version of your data key that the Amazon KMS GeneratedDataKey or Encrypt operation returned.

      Make sure that you provide the encrypted version of your data key. Providing the data key in plaintext exposes it in transit between your system and MediaConvert, making your content vulnerable. Also, if you provide your plaintext data key, your job will fail.

    5. For Initialization vector, provide the 16-byte or 12-byte initialization vector that you used to encrypt your content in an earlier step of this procedure.

      Note

      You must provide your initialization vector encoded in base64. You can do base64-encoding with an online conversion tool, or at the Linux command line with the following command: echo -n "string-to-be-encoded-here" | base64. The -n flag excludes any newline character from the end of the string that you pass in.

    6. If the Amazon Region that you used for Amazon KMS when you generated your data key is different from the Region that you are currently using to run your AWS Elemental MediaConvert job, specify that Region for Amazon Region for decryption key.

  5. Grant kms:Decrypt permissions to your AWS Elemental MediaConvert Amazon Identity and Access Management (IAM) role. Use an IAM inline policy. To learn more, see these topics:

    • For more information about setting up an IAM role for AWS Elemental MediaConvert to assume, see Step 5: Set up IAM permissions in the Getting Started chapter of this guide.

    • For more information about granting IAM permissions using an inline policy, see the procedure To embed an inline policy for a user or role in Adding IAM identity permissions (console) in the IAM User Guide.

    • For examples of IAM policies that grant Amazon KMS permissions, including decrypting encrypted content, see Customer managed policy examples in the Amazon Key Management Service Developer Guide.