4

How do I get the KMS key information from the ciphertext blob?

Taking the example from the aws website

AWS KMS doc

aws kms encrypt --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --plaintext fileb://ExamplePlaintextFile --output text --query CiphertextBlob | base64 --decode > ExampleEncryptedFile

Is there any way to look at ExampleEncryptedFile and figure out which KMS key was used to encrypt it?

I ask because I'm having a problem reading something I encrypted and I want to verify it was encrypted with the key I thought it was.

Malcolm O'Hare
  • 4,879
  • 3
  • 33
  • 53

3 Answers3

3

Yes, you can get the key id by using aws kms decrypt (pass it the ciphertext and region) which does not require a key id to perform decryption. The information about the key that was used to encrypt is part of the ciphertext, therefore, KMS will be able to get this information and return you the "Plaintext" and the "KeyId".

Thando Toto
  • 381
  • 4
  • 8
1

I'm afraid you won't be able to do it. The encrypt API uses a customer master key (CMK) to encrypt the data, and that key never leaves AWS. Unless you saved the key ID somewhere (which is not a great practice), you won't be able to derive it from the encrypted file.

A couple things that can help, in case you have administrative access to the AWS console:

  • literally try calling aws kms decrypt using the master keys you have (assuming they are not many and the original one has not been deleted);
  • looking at your CloudTrail logs, you might be able to figure out which key was used if you have a rough idea of the time when it was used (assuming you have CloudTrail enabled on your KMS operations).
Viccari
  • 9,029
  • 4
  • 43
  • 77
  • 1
    I disagree with your first point as that API call does not require you to specify the master key. The encrypted data contains the master key, therefore, KMS will be to determine this and return you the master key ID as part of the returned data. – Thando Toto Mar 02 '19 at 11:51
  • 1
    Absolutely, I agree with you. Reading my response again, it is not very clear. What I meant is that you can call the `decrypt` API and if you still have the original customer master key, the operation will succeed. No need to specify the key as parameter. Thanks for the comment! – Viccari Mar 04 '19 at 02:33
1

The encrypted blob contains the key information required to decrypt it. There is no way to figure out what key an encrypted blob was encrypted with as its part of the encrypted value. If you’re you’re unsure which key you used, you will have to either roll the value and encrypt it again or start attempting to decrypt with permissions that only have access to one key at a time..

Moe
  • 2,672
  • 10
  • 22