Back

Explore Courses Blog Tutorials Interview Questions

Decrypt using when profile was set during encryption-AWS-Encryption

0 votes
2 views
in AWS by (7k points)

We have installed aws-encryption. We have a key in KMS which we want to use for decryption in a shell script. The hello world example works fine in the development environment, where we have created a kms-key. The arn is stored in a variable $dev_key_arn.

> echo 'Hello World' | aws-encryption-cli --encrypt --master-keys key=$dev_key_arn --input - --output - --encode -S | aws-encryption-cli --decrypt  --input - --output - --decode -S
Hello World

We also have a production environment, so want to use the kms-key $prod_key_arn. We have valid AWS-credentials in a profile called prod, so we would expect

> echo 'Hello World' | aws-encryption-cli --encrypt --master-keys key=$prod_key_arn profile=prod region=eu-west-1   --input - --output - --encode -S | aws-encryption-cli --decrypt  --input - --output - --decode -S
Encountered unexpected error: increase verbosity to see details.
DecryptKeyError("Unable to decrypt any data key")

But it fails with above message. When examined the encrypted message, we see that it successfully encrypts the message.

> aws-encryption-cli --encrypt --master-keys key=arn:aws:kms:eu-west-1:953495156568:key/2197020f-5b3c-4d05-bffc-04cf6114e405 profile=prod region=eu-west-1 provider=aws-kms  --input /tmp/prod_key --output - --encode -S
AYADePCKfZUuL<....>iza1AU=
The arn of the key is stored in the encrypted material. But where goes the information about profile? It cannot be passed in as parameter when decoding and it does not seem to be part of the encoded material.


















 
 

 





 




 





1 Answer























0 votes 























by 


(31.9k points)




edited




by 










It is using your default profile as in your encrypt command you set the profile to "prod", but in your decrypt command you did not set the same.
aws-encryption-cli --decrypt  --input - --output - --decode -S
So add in a master key definition identifying the profile you want to use.
aws-encryption-cli --decrypt --master-keys provider=aws-kms profile=prod  --input - --output - --decode -S
It default to the aws-kms provider if you don't specify a name and specifying the profile should also work
aws-encryption-cli --decrypt --master-keys profile=prod  --input - --output - --decode -S
Are you interested to learn AWS ? Then check out AWS Certification Training Course.













 
 

 





 

 








Related questions


























0 votes










1 answer







When was aws glue launched?




asked

Nov 17, 2020


in AWS


by 
Amyra

(12.9k points)
















 



Want to get 50% Hike on your Salary?


Learn how we helped 50,000+ professionals like you !


























































 
 
 















0 votes










1 answer







What is Amazon EFS Encryption?




asked

Oct 5, 2020


in AWS


by 
Justin

(7k points)
















 

 











 


 

 

 





Browse Categories















 





























© COPYRIGHT 2011-2023 INTELLIPAAT.COM. ALL RIGHTS RESERVED.












 













Download Salary Trends Now !


Learn how professionals like you got up to 100% Salary Hike.















 





...