dz902
commented
2 years ago Also I do not see Decrypt calls in CloudTrail, even failed ones.
Closed dz902 closed 2 years ago
dz902
commented
2 years ago Also I do not see Decrypt calls in CloudTrail, even failed ones.
jdbean
commented
2 years ago Hi @dz902 thanks for reaching out. It's a bit tricky to debug this without more specific context. My first instinct, based on the CloudTrail comment, it that you may have an issue on the parent instance with proxying the request.
Have you confirmed that the vsock proxy systemd service has been enabled and started using the default configuration?
sudo systemctl enable nitro-enclaves-vsock-proxy.service
sudo systemctl start nitro-enclaves-vsock-proxy.serviceIf you're sure that the vsock proxy is running correctly have you confirmed that the parent instance itself is able to reach KMS successfully?
jdbean
commented
2 years ago @dz902 is this issue still active for you?
jdbean
commented
2 years ago Closing this issue out for the time being due to lack of activity and insufficient data to identify underlying cause of error. Will reopen in the event that additional information becomes available.
Following this:
https://nitro-enclaves.workshop.aws/en/my-first-enclave/cryptographic-attestation.html
The encrypted text could not be decrypted with error.
The ciphertext was printed on screen. When I copy it down, base64 decode it into binary, then with AWS CLI I could decrypt it okay.
I thought it was the encoding, but when I decode
string.encryptedintostring.encrypted.binaryand use it as argument,client.pycomplains about unable to read it with utf-8 encoding.I can see that the string is read and passed into enclave with no modification. KMS SDK seems to accept ciphertext directly without the binary conversion.
I'm not sure what went wrong. Please advise. Thanks!