This would have save me an hour, so I’m posting it here for posterity. 🙂 Maybe it will save some time for someone else.
A quick example of how to use the AWS CLI to encrypt a file using a KMS with a key identified by the key-id. Output is saved into 76-column wrapped ASCII-armored file, and then decrypt the same back into cleartext. I couldn’t find a way to column-wrap the output from aws kms encrypt, so the base64 encoding is first undone, and then re-applied with the [default] column width of 76.
Replace the below fake key-id with your own (obviously 🙂 ) that your AWS credentials have access to. For this to work, you have to have awscli installed and configured (run aws configure after you’ve installed awscli).
|
1 2 3 |
aws kms encrypt --key-id 3c436c82-eabe-4b58-996f-6ca3f808f237 --plaintext fileb://my-secret-key.pem --query CiphertextBlob --output text | base64 -d | base64 -w 76 > encrypted.asc aws kms decrypt --ciphertext-blob fileb://<(cat encrypted.asc | base64 -d) --output text --query Plaintext | base64 -d > decrypted.txt |
If you want to enter the encrypted content into JSON structure, simply leave the base64 undo/redo out, and change the output type to JSON, like so:
|
1 |
aws kms encrypt --key-id 3c436c82-eabe-4b58-996f-6ca3f808f237 --plaintext fileb://my-secret-key.pem --query CiphertextBlob --output json |
Without redirection the command outputs to standard output.
** NOTE: On macOS you have to use capital -D with base64 to decrypt.