AWS KMS support for password encryption

AWS KMS (Amazon Web Services Key Management Service) is a service Amazon provides.

  • It can be used in IAM to:
  • Encrypt password hashes before storing them in the user database.
  • Password end-to-end encryption from the browser (or client) to IAM.

Customers need a separate contract to use AWS KMS.

AWS KMS feature set

  • AWS KMS in Airlock IAM provides the following features:
  • Password encryption during transmission and/or in storage.
  • Cryptographic keys are stored in hardened & tamper-resistant devices.
  • Management of cryptographic keys in a scalable, highly available service.
  • Additional monitoring and logging of key usage.
  • Compliance with regulatory requirements on password security (e.g. Monetary Authority of Singapore - MAS).

Supported use cases

  • IAM integrates AWS KMS for the following use cases:
  • Password Management (Adminapp).
  • Password Letter Creation (Adminapp + Service Container).
  • Password verification (Loginapp).
  • Password change/reset (Loginapp).
  • User Self-Registration with initial password (Loginapp). Note, that Password policy enforcement is not supported for initial passwords set during user self-registration.


  • To use the AWS KMS, the following prerequisites must be met:
  • To access the AWS KMS, Airlock IAM must be configured with access credentials. Customers can obtain these access credentials through their Amazon contract.
  • Password hash encryption (IAM database stores encrypted hashes) requires a symmetric key.
    • To use such a key in Airlock IAM, the ARN (Amazon Resource Name) of this key is referenced in the IAM configuration of AWS Key Management Service in the property Symmetric Key ARN.
  • E2EE - password encryption from the browser/client to IAM - requires an asymmetric key pair.
    • To use such a key in Airlock IAM, the ARN (Amazon Resource Name) of this key is referenced in the IAM configuration of AWS Key Management Service in the property RSA Asymmetric Key ARN.

AWS KMS Key Rotation

  • AWS KMS supports the following features that permit key rotation without restarting Airlock IAM:
  • Every key must have an ARN (Amazon Resource Name) assigned, to identify the key externally.
  • Optionally a key can also have a unique alias assigned. The alias itself is also an ARN.

When configuring E2EE in Airlock IAM it is possible to use either key identifiers or aliases in the configuration.

  1. To support key rotation it is recommended to always use aliases and then follow these steps:
  2. Generate a new key or key pair in the AWS KMS management UI.
  3. Reassign the alias from the currently used key to the newly generated key.
  4. Keep the old key in AWS KMS.

After these steps, all newly stored password hashes will use the new key material for encryption. Existing password hashes will continue to work since the data stored in the database contains both the encrypted password hash and the key identifier that points to the key material used during encryption.

E2EE between a client and IAM will immediately switch to the new key since the client receives the public key during the initial phase of the E2EE protocol.