Getting the KMS key from KMS CipherTextBlob

4
votes

How do I get the KMS key information from the ciphertext blob?

Taking the example from the aws website

AWS KMS doc

aws kms encrypt --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --plaintext fileb://ExamplePlaintextFile --output text --query CiphertextBlob | base64 --decode > ExampleEncryptedFile

Is there any way to look at ExampleEncryptedFile and figure out which KMS key was used to encrypt it?

I ask because I'm having a problem reading something I encrypted and I want to verify it was encrypted with the key I thought it was.

3
aws-kms
Similar question: stackoverflow.com/questions/52012625/… - Alexey Vazhnov

3 Answers

4
votes

Yes, you can get the key id by using aws kms decrypt (pass it the ciphertext and region) which does not require a key id to perform decryption. The information about the key that was used to encrypt is part of the ciphertext, therefore, KMS will be able to get this information and return you the "Plaintext" and the "KeyId".

1
votes

I'm afraid you won't be able to do it. The encrypt API uses a customer master key (CMK) to encrypt the data, and that key never leaves AWS. Unless you saved the key ID somewhere (which is not a great practice), you won't be able to derive it from the encrypted file.

A couple things that can help, in case you have administrative access to the AWS console:

  • literally try calling aws kms decrypt using the master keys you have (assuming they are not many and the original one has not been deleted);
  • looking at your CloudTrail logs, you might be able to figure out which key was used if you have a rough idea of the time when it was used (assuming you have CloudTrail enabled on your KMS operations).
1
votes

The encrypted blob contains the key information required to decrypt it. There is no way to figure out what key an encrypted blob was encrypted with as its part of the encrypted value. If you’re you’re unsure which key you used, you will have to either roll the value and encrypt it again or start attempting to decrypt with permissions that only have access to one key at a time..