Reputation: 67
AWS SDK for PHP - Decrypting a Password
For a project I'm working on, I'm using the Amazon AWS SDK for PHP, and I needed to retrieve a password for a server environment in plain text format. However, the documentation for the ec2 method confirmed what we found: the method would only return an encrypted string. On the surface, this was good, because the AWS SDK for PHP uses an unencrypted HTTP POST request to send and receive data via cURL, invisibly to the user. So we don't our password data just flying around the web.
The problem was that there was nothing explaining how to decrypt the string. I had my private key as a PEM file, but there was no method or documentation for what to do with that string to make it usable. Several attempts yielded nothing, and I was beginning to think that I needed to rethink my strategy for the project I'm on, but then I found the code from the last version of the AWS SDK for PHP, and it revealed how to go about decrypting the string to produce a plain text form of the password.
Upvotes: 2
Views: 461
Answers (1)
Reputation: 67
The answer I found was that the getPasswordData method returns a string that is BOTH base64 encoded AND encrypted. You need to decode it with base64_decode() before you can successfully decrypt it with PHP's OpenSSL library. The following function takes care of both:
/**
* @param obj $ec2_client The EC2 PHP client, from the AWS SDK for PHP
* @param string $client_id The ID of the client whose password we're trying to get.
* @return mixed The unencrypted password for the client, or false on failure.
*/
function aws_get_ec2_password($ec2_client, $client_id){
// First, run getPasswordData to get the Password Data Object.
$pw_obj = $ec2_client->getPasswordData($client_id);
// Next, use the local get() method to isolate the password
$pw_b64 = $pw_obj->get("PasswordData");
// Decode the password string.
$pw_encrypted = base64_decode($pw_b64);
// Now, get your PEM key.
//
// You can also use a raw string of the PEM key instead of get_file_contents(),
// or adjust the function so that you can pass it as an argument.
//
// Technically, this step might not be necessary, as the documentation for
// openssl_private_decrypt() suggests that $key can just be the path, and it will
// create the key object internally.
$key = openssl_get_privatekey(file_get_contents("path/to/key.pem"));
// Create an empty string to hold the password.
$pw = "";
// Finally, decrypt the string and return (will return false if decryption fails).
if(openssl_private_decrypt($pw_encrypted, $pw, $key)){
return $pw;
}else{
return false;
}
}
I hope this helps someone else avoid the headaches it gave me!
Upvotes: 2
Related Questions
- Access aws services without key & secret in php
- How to encrypt / decrypt AES with Libsodium-PHP
- AWS SDK PHP - Cannot read credentials from /.aws/credentials
- AWS PHP SDK: Bucket Encryption Not Working
- Cypher method for openssl_encrypt
- Amazon S3 Customer Provided Encryption with PHP SDK
- Encrypt - Decrypt AES PHP
- password encryption for use by aws automated process
- AWS PHP S3 stream wrapper server side encryption
- How to get aws sever-side encrypted object