Using AWS KMS with golang


AWS KMS does a great job providing the necessary key infrastructure to encrypt and decrypt data. Today we will show you how you can use the AWS SKD for golang to encrypt and decrypt data.


  1. In this example we are using Custom Master Key with the name tempKey, located in the eu-central-1 region. Make sure you have created that key before you try this sample code.
  2. For authentication we are using exported credentials via environment variables. Take a look on how to achieve that with aws-vault.

Import the AWS SDK

First we need to import the relevant SDK packages.

import (

Setup a kms client

After importing the packages create a new kms client.

  sess, _ := session.NewSession(&aws.Config{
    Region: aws.String("eu-central-1")},

  svc := kms.New(sess)

Encrypt data

Now you can start encrypting your data. Define the key ID of your CMK and enter some data to encrypt. Be aware that the aws golang sdk requires binary data as Plaintext input.

  const keyID = "alias/tempKey"

  const myPassword = "super-secret"

  inputEncrypt := &kms.EncryptInput{
    KeyId:     aws.String(keyID),
    Plaintext: []byte(myPassword),
  respEncrypt, _ := svc.Encrypt(inputEncrypt)


Decrypt data

After successfully encrypting our data let's do it the other way around now. The output is again a binary blon that neesds to be converted.

  inputDecrypt := &kms.DecryptInput{
    CiphertextBlob: respEncrypt.CiphertextBlob,

  respDecrypt, _ := svc.Decrypt(inputDecrypt)


And that's it! Happy encrypting everyone. :)


The example code can be found here:

Github repository


Secure handling of AWS api keys

A brief how-to store and access local aws api keys with aws-vault.


Mar 24th 2020


Sascha Lange

AWS Landing Zone versus AWS Control Tower

What is the difference between AWS Landing Zones and AWS Control Tower? Customized Solution or Managed Service?!


Mar 23rd 2020


David Krohn

SSH and SCP with AWS SSM

Using AWS Session Manager with enhanced SSH and SCP capability to connect to your EC2 without using firewalls and bastion hosts


Feb 17th 2020


David Krohn