This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

Key Management Service (KMS) is an Amazon Web Services (AWS) service that is used to manage public/private SSL key pairs, for encryption and decryption.

At a high level, there are 3 types of keys.

• Server Side Encryption Amazon Managed (sse-amz)
• Server Side Encryption Key Management Service (sse-kms)
• Server Side Encryption Customer (sse-c) (this article)

OpenSSL is common used to create a Server Side Encryption Customer (sse-c) key. The openssl rand command can be used to create the key.

openssl rand 32 > my.key

Then cat the my.key file, pipe the output through base64 and store the stdout in a variable named key.

key=$(cat sse-c.key | base64)

The $key variable should contain a string, something like this.

~]$ echo $key
4s6iQXekYL6BxzCZX8Zn3Kr4djK42BSLgb1nP3C7qp0=

cat my.key again, this time pipe the output through openssl dgst -md5 -binary and then pipe through base64.

keymd5=$(cat my.key | openssl dgst -md5 -binary | base64)

The $keymd5 variable should contain the MD5 hash, something like this.

~]$ echo $keymd5
tAasKToBgkFA3Sy43tQjSA==

You should then be able to use the sse-c key. For example, I was able to upload a file to my S3 bucket using sse-c.

~]$ aws s3api put-object --bucket my-bucket-abc123 --key foo.txt --body foo.txt --sse-customer-algorithm AES256 --sse-customer-key $key --sse-customer-key-md5 $keymd5
{
    "ETag": "\"f62d7764d48743f8b59e0652b5f35d81\"",
    "SSECustomerAlgorithm": "AES256",
    "SSECustomerKeyMD5": "tAasKToBgkFA3Sy43tQjSA=="
}