At Rest For the Rest: Encrypting a DynamoDB

Recently, I ended up taking on the task of setting up at rest encryption for a DynamoDB we were going to use on our project. By the time I volunteered, we had decided on using the aws-dynamodb-encryption-java library. Amazon’s own examples in the documentation seemed fairly straight-forward, so we figured it would be fairly simple.

Either I love over-complicating things, or it maybe was not so simple. Initially, we tried to rig a solution invovling envelope encryption. I had imagined that we could use Amazon KMS to manage our keys, and then use the DirectKMSMaterialsProvider as an EncryptionMaterialsProvider (both elements provided by the above library).

This solution, however, would not be Bouncy Castle FIPS compliant, a must for Federal Contracting. So instead, we decided on replicating some of the implementation from a previous project, which uses client side encryption to lock down a postgres database. Ultimately, since the entire payload of the DDB gets encrypted and since the ultimate implementation isn’t, in fact, envelope encryption, most of the actual code for this will be scrapped before we go to production. Still, I learned a fair deal about the process! Below I’ve copied a lot of the notes I jotted down during the process


With that in mind, we’re taking the crypto tools used in that previous project, importing them into the current project, and comparing and contrasting the code used to encrypt the data.


Right now, we’re trying to get the Self-Signed Cert from which we pull the private and public keys

Harrison Lavin

[11:09 AM]

`dynamoDBMapper().save(dynamoDB);` (edited)


[1:19 PM]

Nightmarishly, AttributeEncryptor as it was above can’t be cast, because it’s from s3, so, instead, I’m trying to build provider from the ddb code


Unfortunately, EncryptionMaterials is Abstract and cannot be instantiated like they are in s3


Additionally, the EncryptionMaterialsProvider uses a SymmetricStaticProvider in Amazon’s test code, so I’m trying to go with that


instead of the Asymmetric version we were looking at with the s3 version


which I don’t understand, so.

Harrison Lavin

[2:16 PM]

CryptoService to the rescue, with it’s ability to generate an encryptionKey (the secret key) and to retrieve the keypair that we need for the SymmetricStaticProvider

Harrison Lavin

[2:36 PM]

Compiles properly, but now all the ENV vars I set up need to be added to the Dockerfile


In turn, it’ll boot up, but bouncycastle fips isn’t installed on it.

— — — May 19th — — -

Harrison Lavin

[8:11 AM]

Turns out, once the provider was added, it worked like a charm



Then, we passed in the provider to the Mapper, and the rest of the app functioned fine


Not sure how to prove it is, in fact, encrypting the data, buuuuuut

Harrison Lavin [11:36 AM]

Thanks to the inestimable Aaron Shaf, we may have a way forward




dynamo-local-admin-docker — A combined docker image with DynamoDB-Local and dynamo-admin.

Harrison Lavin [12:39 PM]

It turns out, we do!


by swapping out the previous docker image (which just had the DDB image, no dynamo-admin), with the above, we were able to take a look at the DDB as it was being worked on


A case could be saved and retrieved using swagger, free of issue.


But! If you tried to access that case from dynamodb-admin, it came back as an encrypted mess.


Only by retrieving using swagger were we able to read the data properly


As far as I understand encryption, we’ve done it!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store