This would have saved me an hour or two, so I’m posting it here for posterity. 🙂 Maybe it will save some time for someone else.
A quick example of how to use the AWS CLI to encrypt a file using a KMS with a key identified by the key-id. The output is saved into 76-column wrapped ASCII-armored file, and then decrypt the same back into cleartext. I couldn’t find a way to column-wrap the output from aws kms encrypt, so the base64 encoding is first undone, and then re-applied with the [default] column width of 76.
Replace the below fake key-id with your own (obviously 🙂 ) that your AWS credentials have access to. For this to work, you have to have awscli installed and configured (run aws configure after you’ve installed awscli).
** NOTE: On macOS, you have to use capital -D with base64 to decrypt.
First, to encrypt the contents of a file, and then output the decrypted content back into a file, use the following format:
|
1 2 3 |
aws kms encrypt --key-id 3c436c82-eabe-4b58-996f-6ca3f808f237 --plaintext fileb://my-secret-key.pem --query CiphertextBlob --output text | base64 -d | base64 -w 76 > encrypted.asc aws kms decrypt --ciphertext-blob fileb://<(cat encrypted.asc | base64 -d) --output text --query Plaintext | base64 -d > decrypted.txt |
Then, to encrypt/decrypt a string without first saving it into a file (who came up with the decryption format?!). This works in bash, zsh, and alike (ksh..?):
|
1 2 3 |
aws kms encrypt --key-id 3c436c82-eabe-4b58-996f-6ca3f808f237 --plaintext 'Secret message' --query CiphertextBlob --output text aws kms decrypt --ciphertext-blob fileb://<(echo 'AQECAHiuImqexTQGWMAtOjKMcH5UIxXuSZ5WSGx3WKO+vsUI3AAAAKIwgZ8GCSqGSIb3DQEHBqCBkTCBjgIBADCBiAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAwT3cwVGtUYHz02irsCARCAW8a4TP7pL+inl7Je7x1xEr84Q4lN11t3dNFvycpMZALe185DYow4i1GLaJnJnB7g6V1ZaiB+b+Diap/5auM/K3bjLmcTq0molBnn2TG3r0uj70lP0FSQP+XwQ+8=' | base64 -d) --output text --query Plaintext | base64 -d |
Finally, if you want to enter the encrypted content into a JSON structure, simply leave the base64 undo/redo out, and change the output type to JSON, like so:
|
1 |
aws kms encrypt --key-id 3c436c82-eabe-4b58-996f-6ca3f808f237 --plaintext fileb://my-secret-key.pem --query CiphertextBlob --output json |
Without redirection both the encrypt and decrypt commands output to standard output (as in the first example).