Menu
I'm confused on how the aws-kms select which key to use to decrypt a ciphertextblob?
When calling the decrypt method, no key information is provided.
278
When you encrypt, KMS stores the CMK information in the ciphertextblob (CiphertextBlob: Ciphertext including metadata) as metadata. So while calling decrypt, KMS knows which CMK to use.
Replica keys are account specific. If you want other accounts to access these keys, you have to setup such permissions through KMS key policies in account A.
To identify an AWS KMS key, you can use the key ID or the Amazon Resource Name (key ARN). In cryptographic operations, you can also use the alias name or alias ARN. For detailed information about the KMS key identifiers supported by AWS KMS, see Key identifiers (KeyId).
AWS managed keys, the KMS keys that AWS services create in your account for you, are always single-Region keys. You cannot convert an existing single-Region key to a multi-Region key.
Consider using a customer managed key if: You want to create, rotate, disable, or define access controls for the key. You want to grant cross-account access to your S3 objects. You can configure the policy of a customer managed key to allow access from another account.
To decrypt an encrypted data key, and then immediately re-encrypt the data key under a different AWS KMS key, use the ReEncrypt operation. The operations are performed entirely on the server side within AWS KMS, so they never expose your plaintext outside of AWS KMS.
When you encrypt, KMS stores the CMK information in the ciphertextblob (CiphertextBlob: Ciphertext including metadata) as metadata. So while calling decrypt, KMS knows which CMK to use.
More details in: https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html
73
If you look at the CiphertextBlob output of two different --plaintexts (as I show below) you can observe a pattern that must be some kind of metedata. Not sure whether this metadata is documented.
aws kms encrypt --key-id <my-key> --plaintext first-text --query "CiphertextBlob" --output text >> encryption_outputs.out
aws kms encrypt --key-id <my-key> --plaintext second-text --query "CiphertextBlob" --output text >> encryption_outputs.out
cat encryption_outputs.out
AQICAHiHuhOJgMFOzLCxr9JLvFbwcvLJ1ujdFhqufo6u+0DOZAFcwvj+uW9S0ogPZqWnn2o0AAAAaDBmBgkqhkiG9w0BBwagWTBXAgEAMFIGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMKCO7GDmhCkqkISldAgEQgCXJaFxGsprON7JHfoLWFXM/VVg9tv76Ndp9ABZ5zd8VOlK2rtPK
AQICAHiHuhOJgMFOzLCxr9JLvFbwcvLJ1ujdFhqufo6u+0DOZAGMZIUoMTRnPxLZLGx/cD7fAAAAaTBnBgkqhkiG9w0BBwagWjBYAgEAMFMGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmXxBMotXpz0dByd5AgEQgCayx6uiIjJopXsHOeGWAvC5i83CLnp1M7gAVYPQck8lEPtykghR7Q==
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
