Recently AWS launched AWS Encryption SDK for .NET to encrypt and decrypt data.

Earlier this SDK was exists for other languages but not for .NET.

In general, to protect member personal data, we always used some kind of encryption, so that member information's are secure in system and even if someone having access of data source, still information's cannot be visible as plain text.

To encrypt data, we have lots of encryption mechanism but when we choose encryption technic, there are multiple questions comes in mind like:

• Which encryption algorithm should I use?
• How do I generate the encryption key?
• How do I protect the encryption key, and where should I store it?
• How can I make my encrypted data portable in any other programming language?
• How do I ensure that the intended recipient can read my encrypted data?
• How can I ensure my encrypted data is not modified between the time it is written and when it is read?

So to work with data encryption, there are multiple overburden which you need to take care specially, how you will use and security store your encryption key, so that not everyone have access to that key which used for data encryption.

So no with the help of AWS Encryption SDK, we do not need to manage that encryption key at our end, instead we can use AWS KMS and other benefit is, data you encrypt using AWS Encryption SDK, you can decrypt in any other language as the data encrypted and stored in bytes.

To work with AWS Encryption SDK,

• You need to use "AWS.EncryptionSDK" package into your project from NuGet.
• Create one KMS key and copy ARN, which will be used in code base to encrypt and decrypt data.

.Net Core C# Code to Encrypt/Decrypt Data:

using Amazon;

using Amazon.KeyManagementService;

using AWS.EncryptionSDK; //"AWS.EncryptionSDK" package require to install

using AWS.EncryptionSDK.Core;

using System;

using System.Collections.Generic;

using System.IO;

using System.Text;

namespace AWSSDKEncryptionPOC

{

    class Program

    {

        static void Main(string[] args)

        {

            Console.Write("Enter text to encrypt: ");

            string textToEncrypt = Console.ReadLine();

            EncryptDecryptText(textToEncrypt);

            Console.ReadKey();

        }

        public static void EncryptDecryptText(string textToEncrypt)

        {

            try

            {

                //Instantiate the AWS Encryption SDK and the material providers library.

                var encryptionSdk = AwsEncryptionSdkFactory.CreateDefaultAwsEncryptionSdk();

                var materialProviders =

                    AwsCryptographicMaterialProvidersFactory.CreateDefaultAwsCryptographicMaterialProviders();

                //Create an input object for the keyring.

                var awsCredentials = new Amazon.Runtime.BasicAWSCredentials("********", "********");

                string keyArn = "arn:aws:kms:us-east-1:*****:key/******";

                var kmsKeyringInput = new CreateAwsKmsKeyringInput

                {

                    KmsClient = new AmazonKeyManagementServiceClient(awsCredentials, RegionEndpoint.GetBySystemName("us-east-1")),

                    KmsKeyId = keyArn

                };

                //Create the keyring.

                var keyring = materialProviders.CreateAwsKmsKeyring(kmsKeyringInput);

                //Define an encryption context.

                var encryptionContext = new Dictionary<string, string>()

                {

                    {"purpose", "test"}

                };

                byte[] byteArray_plaintext = Encoding.UTF8.GetBytes(textToEncrypt);

                MemoryStream stream_plaintext = new MemoryStream(byteArray_plaintext);

                // Define the encrypt input

                var encryptInput = new EncryptInput

                {

                    Plaintext = stream_plaintext,

                    Keyring = keyring,

                    EncryptionContext = encryptionContext

                };

                //Encrypt plain text

                var encryptOutput = encryptionSdk.Encrypt(encryptInput);

                //Get encrypted text

                var encryptedMessage = encryptOutput.Ciphertext;

                using var _reader = new BinaryReader(encryptedMessage);

                var encryptedTextBytes = _reader.ReadBytes((int)encryptedMessage.Length);

                Console.WriteLine($"\nEncrypted text bytes & this we can store into DB varbinary: {Encoding.Default.GetString(encryptedTextBytes)}");

                /******** Decryption Logic ********/

                MemoryStream encryptedTextString_MemortyStream = new MemoryStream(encryptedTextBytes);

                //Create the input object for decrypting.

                var decryptInput = new DecryptInput

                {

                    Ciphertext = encryptedTextString_MemortyStream,//encryptedMessage,

                    Keyring = keyring

                };

                //Decrypt encrypted text

                var decryptOutput = encryptionSdk.Decrypt(decryptInput);

                StreamReader readerToDecrypt = new StreamReader(decryptOutput.Plaintext);

                string decryptedTextString = readerToDecrypt.ReadToEnd();

                Console.WriteLine($"\nDecrypted text string: {decryptedTextString}");

            }

            catch (Exception ex)

            {

                throw;

            }

        }

    }

}

Output: