Hi there, great work on this! I used it in the past days and it is awesome!
During my usage, I noticed that nowadays there is some different between encrypted files using KMS. I noticed that in some older files, we had the plain-text string identifying the key-id used to encrypt the file, and this information is used by local-kms (and AWS KMS) to identify which key to use if not specifying --key-id.
But recent versions changed that. The information about the key is still there, but it appears to be in a binary format. Here is an example:
Because of that, I believe the UnpackCiphertextBlob and Decrypt functions don't support this "new format". I don't know binary parsing much, so I could be wrong.
Using the same key material on both ends, I can't use local-kms to decrypt the new format:
$ aws --region us-east-1 --endpoint-url=http://localhost:8080 kms decrypt --ciphertext-blob fileb://sample-new-format.bin --output text --query Plaintext | base64 -d
An error occurred (AccessDeniedException) when calling the Decrypt operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
and from the local-kms logs I can see that it didn't find the key-id:
WARN[2022-11-10 18:55:35.361] Key 'arn:aws:kms:us-east-1:1234567890:key/' does not exist
If I specify the key-id, it doesn't decrypt it well:
$ aws --region us-east-1 --endpoint-url=http://localhost:8080 kms decrypt --key-id "abcdef123-4567-890a-bcde-f1234567890ab" --ciphertext-blob fileb://sample-new-format.bin --output text --query Plaintext | base64 -d
An error occurred (InvalidCiphertextException) when calling the Decrypt operation:
and from the local-kms logs:
WARN[2022-11-10 18:56:38.393] Unable to decode Ciphertext: required version of backing key is invalid
Using the old format works flawlessly.
So the main issue is: are you aware of this "new format", and if so, is there any plans to support it?
Hi there, great work on this! I used it in the past days and it is awesome!
During my usage, I noticed that nowadays there is some different between encrypted files using KMS. I noticed that in some older files, we had the plain-text string identifying the key-id used to encrypt the file, and this information is used by local-kms (and AWS KMS) to identify which key to use if not specifying
--key-id.But recent versions changed that. The information about the key is still there, but it appears to be in a binary format. Here is an example:
Because of that, I believe the
UnpackCiphertextBlobandDecryptfunctions don't support this "new format". I don't know binary parsing much, so I could be wrong.Using the same key material on both ends, I can't use local-kms to decrypt the new format:
and from the local-kms logs I can see that it didn't find the key-id:
If I specify the
key-id, it doesn't decrypt it well:and from the local-kms logs:
Using the old format works flawlessly.
So the main issue is: are you aware of this "new format", and if so, is there any plans to support it?
Thank you so much.