• My Links at Diigo
  • Ergonomics Resource

RANDOM.AC/CESS

Musings of a Web Technologist

Home Archives for kms

A Simple AWS CLI KMS encrypt/decrypt example

Posted on 04 February 2017 by Ville 17 Comments

This would have saved me an hour or two, so I’m posting it here for posterity. 🙂 Maybe it will save some time for someone else.

A quick example of how to use the AWS CLI to encrypt a file using a KMS with a key identified by the key-id. The output is saved into 76-column wrapped ASCII-armored file, and then decrypt the same back into cleartext. I couldn’t find a way to column-wrap the output from aws kms encrypt, so the base64 encoding is first undone, and then re-applied with the [default] column width of 76.

Replace the below fake key-id with your own (obviously 🙂 ) that your AWS credentials have access to. For this to work, you have to have awscli installed and configured (run aws configure after you’ve installed awscli).

** NOTE: On macOS, you have to use capital -D with base64 to decrypt.

First, to encrypt the contents of a file, and then output the decrypted content back into a file, use the following format:

Shell
1
2
3
aws kms encrypt --key-id 3c436c82-eabe-4b58-996f-6ca3f808f237 --plaintext fileb://my-secret-key.pem --query CiphertextBlob --output text | base64 -d | base64 -w 76 > encrypted.asc
 
aws kms decrypt --ciphertext-blob fileb://<(cat encrypted.asc | base64 -d) --output text --query Plaintext | base64 -d > decrypted.txt

Then, to encrypt/decrypt a string without first saving it into a file (who came up with the decryption format?!). This works in bash, zsh, and alike (ksh..?):

Shell
1
2
3
aws kms encrypt --key-id 3c436c82-eabe-4b58-996f-6ca3f808f237 --plaintext 'Secret message' --query CiphertextBlob --output text
 
aws kms decrypt --ciphertext-blob fileb://<(echo 'AQECAHiuImqexTQGWMAtOjKMcH5UIxXuSZ5WSGx3WKO+vsUI3AAAAKIwgZ8GCSqGSIb3DQEHBqCBkTCBjgIBADCBiAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAwT3cwVGtUYHz02irsCARCAW8a4TP7pL+inl7Je7x1xEr84Q4lN11t3dNFvycpMZALe185DYow4i1GLaJnJnB7g6V1ZaiB+b+Diap/5auM/K3bjLmcTq0molBnn2TG3r0uj70lP0FSQP+XwQ+8=' | base64 -d) --output text --query Plaintext | base64 -d

Finally, if you want to enter the encrypted content into a JSON structure, simply leave the base64 undo/redo out, and change the output type to JSON, like so:

Shell
1
aws kms encrypt --key-id 3c436c82-eabe-4b58-996f-6ca3f808f237 --plaintext fileb://my-secret-key.pem --query CiphertextBlob --output json

Without redirection both the encrypt and decrypt commands output to standard output (as in the first example).

Filed Under: AWS, DevOps, Linux, Security, Technical, Ubuntu, UNIX Tagged With: amazon web services, aws, encryption, example, key management service, kms, security

Blog Author, Ville Walveranta

Information Architect, Application Developer, Web Technologist

Social

Follow me on:

StackExchange

profile for Ville on Stack Exchange, a network of free, community-driven Q&A sites

Recent Posts

  • macOS: ‘dig’ vs. ‘dscacheutil’ while using split DNS with Viscosity VPN client
  • Remove DRM Easily (?) from Your Audible Purchases
  • Exploring GitHub Flavored Markdown local preview
  • Interactive AWS CLI Query Filtering with JSONPath
  • Easy MFA and Profile Switching in AWS CLI

Tags

2fa automatic automount aws bash beyond compare boot centos co-lo co-location comparison diff DNS enforcer esxi freebsd ftp fusemail Hardware iam install key Linux mailtrust microsoft monitoring multi-factor nfs RELEASE-7.0 rotation script security self-healing shell software sublime tbe trackball ubuntu unix vista vmware Windows windows 7 workflow

Blog archive

December 2019
M T W T F S S
« Apr    
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

PGP/GPG

Keybase: vwal
(PGP Key ID 2E99 86D7 7ED9 9C13)

Tips

BTC:
1LpaZ2vU7jHuqokLEC3dDnbmZrNutCj6o9

ETH:
0xC8c180e80927ED68fD538a46B4e1D88f41CAaEde

XRP:
rwC92P4R7Dj4uXF9gjWbtoVzCnR9RuYnPU

XLM: GAQLY6ITFVXATCGG2Y3VFIGJENNM6RQAUXF43PBLNOCKNQJKJSKGJKTL

Copyright © Ville Walveranta 2019 - All Rights Reserved · Powered by Wordpress and Genesis Framework