Getting InvalidCiphertextException with CiphertextBlob as String

1
votes

I am trying to decrypt a string with AWS KMS, but I am getting an InvalidCiphertextException error (with no further information following the exception name).

I was originally decrypting in a node js lambda, using an environment variable as the source for encryptedString:

var params = {
    CiphertextBlob: Buffer.from(encryptedString, 'base64')
};
kms.decrypt(params, function(err, data) {
    if (err) {
        ...
    } else {
        ...
    }
}

I have also tried it with the CiphertextBlob value as a String, i.e.:

CiphertextBlob: encryptedString

The KMS key used to encrypt the value originally is a symmetric CMK so I believe I shouldn't need to pass in the key ID.

I also tried the same thing via awscli (passing in ciphertext-blob as a string) but got the same error:

aws kms decrypt --ciphertext-blob <encrypted string value> --query PlainText | base64 --decode

Passing in the key ID had no effect either.

I have used an online tool to validate that the encrypted string is base64. I'm not too clued up on base64 encoding so not sure if that's all it takes to prove the cipher text is valid.

I'm sure I'm failing with something fundamental - either my encrypted string is not base64 or not what decrypt expects, or I am missing some additional decrypt arguments perhaps.

Thanks in advance.

1
amazon-web-servicesencryptionaws-kms
Is there any encryption context associated with your secret? If there is, you need to specify it as well to decrypt your secret.Marcin
No I can't see any - I've checked the key policy and there are no Condition fields specifying kms:EncryptionContext.Neil
Did you encrypt the secret yourself using KMS? The encryption context is given during encryption procedure. If you provided it at that time, it must be provided at the decryption as well. key policy does not change this.Marcin
No the key already exists, it was created some time ago so I don't have access to any creation details, as far as I know. Is there any way to see what encryption context was passed at creation?Neil
I've created a brand new KMS key, and a new SSM param using that key. I've then passed the encrypted string to a lambda environment variable and tried decrypting with the above commands both in the lambda and via awscli, but still get the same error. I checked the CloudTrail CreateKey event but couldn't see any encryption context related information (as expected, as I did not specify any encryption context when I created the new key).Neil

1 Answers

2
votes

Based on the comments.

The issue is with decrypting SSM parameter. Thus, an encryption context must be provided during the decryption procedure. From docs:

Parameter Store includes this encryption context in calls to encrypt and decrypt the MyParameter parameter in an example AWS account and region.

"PARAMETER_ARN":"arn:aws:ssm:<REGION_NAME>:<ACCOUNT_ID>:parameter/<parameter-name>"

Therefore, if you are not using get_parameter with WithDecryption option set to True, you must provide the above encryption context during KMS decrypt operation.