Question 19869 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

AWSCLI getting InvalidCiphertextException when decrypting locally encrypted file using AWS KMS

I am trying to decrypt a locally encrypted file using AWS KMS. The AWS KMS key was already created via the console and then I’m using the cli to to do the encryption and decryption. The decryption is failing.

I have created a customer managed AWS KMS key on AWS, here’s the output from aws kms describe-key command:

{
    "KeyMetadata": {
        "AWSAccountId": "<redacted>",
        "KeyId": "<redacted>",
        "Arn": "arn:aws:kms:eu-west-2:<redacted>:key/<redeacted>",
        "CreationDate": "2022-11-01T14:02:40.684000+00:00",
        "Enabled": true,
        "Description": "CST MED1 FORT-B",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
        "KeySpec": "SYMMETRIC_DEFAULT",
        "EncryptionAlgorithms": [
            "SYMMETRIC_DEFAULT"
        ],
        "MultiRegion": false
    }

I can successfully encrypt a local file using this command:

aws kms encrypt --key-id <redacted> --plaintext fileb://field342med1 --output text --query CiphertextBlob --region eu-west-2 > field342med1.encrypted

However when decrypting this file using the following command:

aws kms decrypt --ciphertext-blob fileb://field342med1.encrypted --query Plaintext

i get the following error:

An error occurred (InvalidCiphertextException) when calling the Decrypt operation:

I have changed the fileb:// to file:// which eliminates the error but it’s not decrypted to what was in the original plain textfile.

Any ideas please?

Any ideas how I can resolve this please?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    It was a helpful response and pointer by jellycsc but still not quite worked for me. The link to the AWS CLI doc provided by jellyscs is where I eventually got the correct answer from.

    Even though my initial encryption command worked,I wasn't base64 encoding the file when encrypting it. I would have thought that wasn't necessary but it seems it is. Here's the command to do this correctly:

    aws kms encrypt --key-id <redacted> --plaintext fileb://field342med1  --output text --query CiphertextBlob | base64 --decode > field342med1.encrypted

    Then to successfully decrypt the encrypted file we do:

    aws kms decrypt --ciphertext-blob fileb://field342med1.encrypted --query Plaintext --output text | base64 --decode

    There is no need to pass in the key-id for the decryption step as it's reference is contained in the metadata of the encrypted file.

    Hope that helps others but thanks again to jellycsc for the pointers


  2. 0

    You are on the right track. The reason why your decrypted file is different from the original plain text file is because the result is base64 encoded.

    Here is the CLI doc for aws kms decrypt:

    Plaintext -> (blob)

    Decrypted plaintext data. When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.

    Therefore, the following command will give you back the original text:

    aws kms decrypt --ciphertext-blob file://field342med1.encrypted --query Plaintext --output text | base64 -D
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search