Agent Cloud KMS Keys and Encryption Context

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

KMS key IDs, aliases, policies, and encryption context are essential evidence when an agent investigates decryption failures, access denials, or missing customer-managed-key coverage.

## Core Explanation

Cloud KMS systems separate key identity from the extra context that binds a cryptographic operation to a tenant, object, volume, record, or request. A working key ARN or key URI is not enough if the decrypt request omits the same authenticated context, uses the wrong key version, or lacks a policy condition.

Agents should collect the key identifier, alias, key state, region or location, caller identity, grant or policy condition, encryption context or AAD value, and audit event before recommending key rotation or data re-encryption.

## Source-Mapped Facts

- AWS KMS documentation describes encryption context as optional, non-secret key-value pairs for symmetric encryption KMS keys that are cryptographically bound to ciphertext. ([source](https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html))
- Google Cloud KMS documentation says Cloud KMS will not decrypt ciphertext unless the same additional authenticated data value is used for encryption and decryption. ([source](https://docs.cloud.google.com/kms/docs/additional-authenticated-data))
- Azure Key Vault documentation describes vaults and Managed HSMs as resources for storing and managing cryptographic keys, with Managed HSMs supporting HSM-protected keys. ([source](https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys))

## Further Reading

- [AWS KMS Encryption Context](https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html)
- [Google Cloud KMS Additional Authenticated Data](https://docs.cloud.google.com/kms/docs/additional-authenticated-data)
- [Azure Key Vault About Keys](https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys)