4

I am using an AWS Powershell cmdlet New-KMSDataKey that creates a System.IO.MemoryStream that contains an encryption key that I need to use to encrypt some files.

This is the documentation for the command:

http://docs.aws.amazon.com/powershell/latest/reference/items/New-KMSDataKey.html

And this is the object that is returned by that cmdlet:

http://docs.aws.amazon.com/sdkfornet/latest/apidocs/items/TKeyManagementServiceGenerateDataKeyResult_NET3_5.html

I am trying to get the plaintext property. How can I access the System.IO.MemoryStream to get the key?

This is my script sample:

$KMSKeyS3 = New-KMSDataKey -KeyId $KMSKeySource -KeySpec AES_256 -Region "ap-southeast-2"

This gives me:

CiphertextBlob           KeyId                                           Plaintext                                                   
--------------           -----                                           ---------
System.IO.MemoryStream   arn:aws:kms:ap-southeast-2:<Customer>:key/<Key> System.IO.MemoryStream
JasonMArcher
  • 14,195
  • 22
  • 56
  • 52
Chris
  • 41
  • 1
  • 2
  • 1
    You can read the [System.IO.MemoryStream] using a StreamReader `$reader = new-object System.IO.StreamReader($KMSKeyS3.plaintext); $reader.Readline()` But, this is only half the answer, because I have no idea what the encoding is in that MemoryStream. – Jan Chrbolka May 20 '15 at 06:22
  • Documentation on how to handle this property specifically seems pretty scarce. You may want to kick this up to the AWS Powershell forums to get specific word on usage from an AWS employee. – Anthony Neace May 20 '15 at 13:59
  • Cleaned the question up and voted to re-open. This question is very specific and answerable by someone with experience with the KMS cmdlets. I don't think it is simply a broad question about memory streams but specifically this usage of one. @Chris you may want to edit the post to include some relevant info like the KMS cmdlets you used to build any related keys, aliases, etc. – Anthony Neace May 20 '15 at 14:08
  • @HyperAnthony Thanks, All I did was create a KMS root key in AWS, my `$KMSKeySource` is just the root key. other than that I am running the command above. – Chris May 20 '15 at 20:41
  • @JanChrbolka for the encoding I am not sure either, but from what I can work out from the AWSCLI it looks like it is base64 as the examples I saw they keep decoding from base64 in bash. Example blog,http://www.rightbrainnetworks.com/blog/keeping-secrets-safe-with-kms/ – Chris May 20 '15 at 20:45
  • That example shows how to encrypt text using the key. Is this what to want to do? From the wording of your question, it looks like you extract the key for some reason... Could you mayby add that to the question? – Jan Chrbolka May 20 '15 at 21:02
  • @JanChrbolka, Sorry about this. When I run the `New-KMSDataKey` I am getting back the plaintext and the Ciphertextblob as shown above. I need to use the Plaintext to pass into a new command to encrypt the data like `Copy-S3Object`, but I also need to save only the Ciphertextblob with the data so that I can decrypt the data at a later stage. The Ciphertextblob allows me to got back to the KMS Service to get the plaintext again to decrypt. That is why I need to read the MemorySteam to get that Plaintext and the Ciphertextblob. – Chris May 20 '15 at 21:18
  • 2
    @Chris, OK, turns out that the MemorySteam can easily be converted to an array of Bytes `$KMSKeyS3.Plaintext.ToArray()`. This can then be thranslated to Base64 string. I think this is what you were looking for. `$key = [Convert]::ToBase64String($KMSKeyS3.Plaintext.ToArray())` and `$blob = [Convert]::ToBase64String($KMSKeyS3.CiphertextBlob.ToArray())` – Jan Chrbolka May 20 '15 at 23:05
  • 1
    No problem. And don't let the "question format patrol" put you off SO. They're just doing their bit to keep the site helpful. – Jan Chrbolka May 21 '15 at 00:14
  • 2
    Need one more person to reopen the question, and then @JanChrbolka can post an answer. You can mark the answer as accepted by clicking the checkmark to the left of the answer. – Anthony Neace May 21 '15 at 01:49

1 Answers1

0

In short,

# generate a data key
$KMSKeyS3 = New-KMSDataKey -KeyId $KMSKeySource -KeySpec AES_256 -Region "ap-southeast-2"

[byte[]]$plaintextDataKey = $KMSKeyS3.Plaintext.ToArray()
[byte[]]$encryptedDataKey = $KMSKeyS3.CiphertextBlob.ToArray()
[string]$encryptedDatakeyBase64 = $([Convert]::ToBase64String($encryptedDataKey))

See this answer to a question on PowerShell and KMS for a comprehensive answer including tested encryption and decryption scripts, and base64 conversion.

Community
  • 1
  • 1
obscurerichard
  • 81
  • 5