This would have save me an hour, so I’m posting it here for posterity. 🙂 Maybe it will save some time for someone else.
A quick example of how to use the AWS CLI to encrypt a file using a KMS with a key identified by the
key-id. Output is saved into 76-column wrapped ASCII-armored file, and then decrypt the same back into cleartext. I couldn’t find a way to column-wrap the output from
aws kms encrypt, so the base64 encoding is first undone, and then re-applied with the [default] column width of 76.
Replace the below fake
key-id with your own (obviously 🙂 ) that your AWS credentials have access to. For this to work, you have to have awscli installed and configured (
aws kms encrypt --key-id 3c436c82-eabe-4b58-996f-6ca3f808f237 --plaintext fileb://my-secret-key.pem --query CiphertextBlob --output text | base64 -d | base64 -w 76 > encrypted.asc
aws kms decrypt --ciphertext-blob fileb://<(cat encrypted.asc | base64 -d) --output text --query Plaintext | base64 -d > decrypted.txt
If you want to enter the encrypted content into JSON structure, simply leave the base64 undo/redo out, and change the output type to JSON, like so:
aws kms encrypt --key-id 3c436c82-eabe-4b58-996f-6ca3f808f237 --plaintext fileb://my-secret-key.pem --query CiphertextBlob --output json
Without redirection the command outputs to standard output.
** NOTE: On macOS you have to use capital
base64 to decrypt.