I'm confused on how the aws-kms select which key to use to decrypt a ciphertextblob?
When calling the decrypt method, no key information is provided.
7
votes
2 Answers
5
votes
When you encrypt, KMS stores the CMK information in the ciphertextblob (CiphertextBlob: Ciphertext including metadata) as metadata. So while calling decrypt, KMS knows which CMK to use.
More details in: https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html
1
votes
If you look at the CiphertextBlob output of two different --plaintexts (as I show below) you can observe a pattern that must be some kind of metedata. Not sure whether this metadata is documented.
aws kms encrypt --key-id <my-key> --plaintext first-text --query "CiphertextBlob" --output text >> encryption_outputs.out
aws kms encrypt --key-id <my-key> --plaintext second-text --query "CiphertextBlob" --output text >> encryption_outputs.out
cat encryption_outputs.out
AQICAHiHuhOJgMFOzLCxr9JLvFbwcvLJ1ujdFhqufo6u+0DOZAFcwvj+uW9S0ogPZqWnn2o0AAAAaDBmBgkqhkiG9w0BBwagWTBXAgEAMFIGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMKCO7GDmhCkqkISldAgEQgCXJaFxGsprON7JHfoLWFXM/VVg9tv76Ndp9ABZ5zd8VOlK2rtPK
AQICAHiHuhOJgMFOzLCxr9JLvFbwcvLJ1ujdFhqufo6u+0DOZAGMZIUoMTRnPxLZLGx/cD7fAAAAaTBnBgkqhkiG9w0BBwagWjBYAgEAMFMGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmXxBMotXpz0dByd5AgEQgCayx6uiIjJopXsHOeGWAvC5i83CLnp1M7gAVYPQck8lEPtykghR7Q==
