CODEWITHSUNDEEP
amazon-kms
user331244
user331244

Reputation: 611

aws-encryption-cli: How to decrypt using when profile was set during encryption?

I have a key in KMS that I want to use for decrypting in a shell script. I have installed aws-encryption-cli (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/crypto-cli.html).

The hello world example works fine in my development environment, where I have created a kms-key (its arn is stored in the variable $dev_key_arn).

> echo 'Hello World' | aws-encryption-cli --encrypt --master-keys key=$dev_key_arn --input - --output - --encode -S | aws-encryption-cli --decrypt  --input - --output - --decode -S
Hello World

I also have a production environment, so I want to use the kms-key $prod_key_arn. I have valid AWS-credentials in a profile called prod, so I would expect

> echo 'Hello World' | aws-encryption-cli --encrypt --master-keys key=$prod_key_arn profile=prod region=eu-west-1   --input - --output - --encode -S | aws-encryption-cli --decrypt  --input - --output - --decode -S
Encountered unexpected error: increase verbosity to see details.
DecryptKeyError("Unable to decrypt any data key")

But it fails with above message. If examine the encrypted message, I see that it successfully encrypts the message

> aws-encryption-cli --encrypt --master-keys key=arn:aws:kms:eu-west-1:953495156568:key/2197020f-5b3c-4d05-bffc-04cf6114e405 profile=prod region=eu-west-1 provider=aws-kms  --input /tmp/prod_key --output - --encode -S
AYADePCKfZUuL<....>iza1AU=

The arn of the key is stored in the encrypted material (base64 decode shows it). But where goes the information about profile? It can not be passed in as parameter when decoding and it does not seem to be part of the encoded materail.

Upvotes: 0

Views: 3184

Answers (1)

mattsb42-aws
mattsb42-aws

Reputation: 306

aws-encryption-cli author here. :)

The problem you are encountering is that in your encrypt command you set the profile to "prod", but in your decrypt command you did not set a profile, so it is using your default profile.

aws-encryption-cli --decrypt  --input - --output - --decode -S

If you add in a master key definition identifying the profile you want to use, it should work.

aws-encryption-cli --decrypt --master-keys provider=aws-kms profile=prod  --input - --output - --decode -S

Because we default to the aws-kms provider if you don't specify a name, just specifying the profile should also work, but I prefer to identify the provider since that makes the intention clearer.

aws-encryption-cli --decrypt --master-keys profile=prod  --input - --output - --decode -S

If you run into any other issues with aws-encryption-cli, please feel free to open an issue in our GitHub repo[1].

[1] https://github.com/aws/aws-encryption-sdk-cli

Upvotes: 2

Related Questions