Closed dz902 closed 2 years ago
Also I do not see Decrypt
calls in CloudTrail, even failed ones.
Hi @dz902 thanks for reaching out. It's a bit tricky to debug this without more specific context. My first instinct, based on the CloudTrail comment, it that you may have an issue on the parent instance with proxying the request.
Have you confirmed that the vsock proxy systemd service has been enabled and started using the default configuration?
sudo systemctl enable nitro-enclaves-vsock-proxy.service
sudo systemctl start nitro-enclaves-vsock-proxy.service
If you're sure that the vsock proxy is running correctly have you confirmed that the parent instance itself is able to reach KMS successfully?
@dz902 is this issue still active for you?
Closing this issue out for the time being due to lack of activity and insufficient data to identify underlying cause of error. Will reopen in the event that additional information becomes available.
Following this:
https://nitro-enclaves.workshop.aws/en/my-first-enclave/cryptographic-attestation.html
The encrypted text could not be decrypted with error.
The ciphertext was printed on screen. When I copy it down, base64 decode it into binary, then with AWS CLI I could decrypt it okay.
I thought it was the encoding, but when I decode
string.encrypted
intostring.encrypted.binary
and use it as argument,client.py
complains about unable to read it with utf-8 encoding.I can see that the string is read and passed into enclave with no modification. KMS SDK seems to accept ciphertext directly without the binary conversion.
I'm not sure what went wrong. Please advise. Thanks!