Closed whummer closed 3 years ago
Hi @whummer
A fun quirk of KMS via the CLI
encrypt
returns a base64 encoded string.decrypt
expects a raw (non-base64) input.Thus hopefully the following works as you'd expect:
key_id=$(awslocal kms create-key | jq -r '.KeyMetadata.KeyId')
awslocal kms create-alias --alias-name alias/test --target-key-id $key_id
encrypted=$(awslocal kms encrypt --plaintext=test --key-id=alias/test --query=CiphertextBlob --output text)
echo $encrypted | base64 --decode > encrypted.dat
awslocal kms decrypt --output text --query=Plaintext --ciphertext-blob fileb://encrypted.dat
I will sense check that error message when I get a moment to ensure it matches what AWS actually return.
There are examples of doing symmetric encryption with KMS here: https://nsmith.net/aws-kms-cli
@whummer Looking into this further, I am struggling to replicate your issue.
What you had runs fine for me, with the exception of your --query=
on the decrypt needs to be looking for Plaintext
. So:
key_id=$(awslocal kms create-key | jq -r '.KeyMetadata.KeyId')
awslocal kms create-alias --alias-name alias/test --target-key-id $key_id
encrypted=$(awslocal kms encrypt --plaintext=test --key-id=alias/test --query=CiphertextBlob --output text)
awslocal kms decrypt --output text --query=Plaintext --ciphertext-blob $encrypted
Do you know what version of Local KMS you're seeing your exception on?
Thanks for your quick response @nsmithuk . Looks like there seems to be a difference between AWS CLI v1 and v2.
In the test below, awslocal
is using the v1 CLI, and awslocal2
is using the v2 CLI. It seems to be working with v2, but not with v1:
$ awslocal kms decrypt --ciphertext-blob $(awslocal kms encrypt --plaintext=test --key-id=alias/test --query=CiphertextBlob --output text)
An error occurred (AccessDeniedException) when calling the Decrypt operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
$ awslocal2 kms decrypt --ciphertext-blob $(awslocal2 kms encrypt --plaintext=test --key-id=alias/test --query=CiphertextBlob --output text)
{
"KeyId": "arn:aws:kms:eu-central-1:000000000000:key/3c6edd3d-b405-4854-81ec-fc0b94e7e0f4",
"Plaintext": "test",
"EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}
I think we can close this issue for now - will create follow-up tickets in case any other issues come up. Thanks!
Hi @nsmithuk - thanks for providing this great library. (As you know, we're happily using it in LocalStack..)
Question regarding encrypt/decrypt roundtrip - this might be related to incorrect usage, or potentially may point to an issue in the implementation.
If you can point us in the right direction, we can also try to contribute a PR to fix this issue (just wanted to confirm first if there's a workaround for this). Thanks for your help!