[TheDong]

Threat-model wise, this seems no different from storing the decryption secret on disk (wherever the access/secret keys are stored in this setup), with one exception: remotely-revokable keys.

That is a nice property and a pretty cool way to achieve it.

[randomv]

There's a few different revocation options:

* `grant-computer` creates a KMS grant as per http://docs.aws.amazon.com/kms/latest/developerguide/grants.... . `revoke-computer` removes the grant without touching the keys.

* The AWS access keys for the IAM user the tool uses, which can be rotated, revoked, recreated, etc...

* The per-disk encryption key, which can be deleted from DynamoDB

* The KMS CMK, which can be deleted, disabled, etc...

I mainly wanted to solve having to plug in a keyboard and type something in, or having a key on a USB stick and be diligent enough to take it out of the home.

[justinjlynn]

Once secret data, especially potentially valuable but small data, is shared beyond one's own control, never assume it can be or has been deleted. In fact, one should probably assume the opposite. Has it been saved? Probably not, but it could easily be. Carefully evaluate your threat model, the risk might be small enough to be acceptable, but always exercise great care in saying "but it can be/has been forgotten".