Create a KMS symmetric key (AES-256) in your account and attach a key policy that grants your application's IAM role kms:GenerateDataKey and kms:Decrypt, and grants a separate admin role kms:DescribeKey and key management actions
To encrypt data, call GenerateDataKey with the key ARN and KeySpec=AES_256; the response contains a plaintext data key and a ciphertext blob of the same key encrypted under KMS
Encrypt your plaintext data locally using the plaintext data key with an authenticated encryption algorithm (AES-GCM is recommended); immediately zero out the plaintext key from memory
Store the ciphertext blob alongside the encrypted data (e.g., as a header field); do not store the plaintext data key anywhere
To decrypt, pass the stored ciphertext blob to the KMS Decrypt API; use the returned plaintext data key to decrypt the local ciphertext; zero it out after use
Enable KMS key rotation (annual automatic rotation for symmetric keys) and configure CloudTrail to log all KMS API calls for auditability
Known gotchas
GenerateDataKey makes a network call to KMS; cache the data key for the duration of a single encryption session but never persist the plaintext key to disk or logs
If you encrypt the data key with the wrong KMS key ARN or the key is disabled, Decrypt will fail; always verify the key ARN stored with the ciphertext before attempting decryption
Cross-region use requires creating a KMS key (or a multi-region key replica) in each region; a key in us-east-1 cannot be directly used for Decrypt calls in eu-west-1
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp