New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add kms decrypt argument for base64 encoded input #2063

Open
theazureshadow opened this Issue Jul 11, 2016 · 32 comments

Comments

Projects
None yet
@theazureshadow
Copy link

theazureshadow commented Jul 11, 2016

The output for aws kms encrypt is a base64-encoded string. The input for aws kms decrypt is a binary string, which is not particularly bash-friendly. See #1100.

It would be useful if there was an additional --ciphertext-base64 argument that could take that same base64 blob from encrypt and decrypt it correctly.

@kyleknap

This comment has been minimized.

Copy link
Member

kyleknap commented Jul 12, 2016

Marking as a feature request.

Are you blocked on this? Could you chain the commands with base64 to handle your use case? Like I do in this blog post

@theazureshadow

This comment has been minimized.

Copy link
Author

theazureshadow commented Jul 12, 2016

I'm not blocked, but it is really non-obvious what's going wrong. We lost a bit of time when trying to validate that we'd encoded our data correctly. Seems like an easy win to be able to specify base64-encoded ciphertext.

@w32-blaster

This comment has been minimized.

Copy link

w32-blaster commented Aug 11, 2016

I agree with this. There are use cases where it's not trivial to chain commands to get the correct result. It would help in many cases.

@ajlanghorn

This comment has been minimized.

Copy link

ajlanghorn commented Aug 30, 2016

👍 to this.

@iadknet

This comment has been minimized.

Copy link

iadknet commented Sep 21, 2016

👍

5 similar comments
@wheresvic

This comment has been minimized.

Copy link

wheresvic commented Nov 15, 2016

👍

@rbm1337

This comment has been minimized.

Copy link

rbm1337 commented Jan 30, 2017

👍

@ghost

This comment has been minimized.

Copy link

ghost commented Mar 9, 2017

+1

@kid7st

This comment has been minimized.

Copy link

kid7st commented Apr 25, 2017

+1

@sinogermany

This comment has been minimized.

Copy link

sinogermany commented Jul 13, 2017

+1

@techypaul

This comment has been minimized.

Copy link

techypaul commented Aug 9, 2017

+1, in the meantime for anyone else looking:

echo AQICAHhb....ZClShBC8dZpCg== | base64 --decode > /tmp/temp.enc
DB_PASS=$(aws kms decrypt --region eu-west-1 --ciphertext-blob fileb:///tmp/temp.enc --query Plaintext --output text | base64 --decode)
sed -i -e "s/<<DB_PASS>>/${DB_PASS}/g" /var/www/mysite/DbSettings.php
@gonzaloserrano

This comment has been minimized.

Copy link

gonzaloserrano commented Sep 7, 2017

+1

6 similar comments
@jordimirobruix

This comment has been minimized.

Copy link

jordimirobruix commented Sep 7, 2017

+1

@coboshm

This comment has been minimized.

Copy link

coboshm commented Sep 7, 2017

+1

@ryanskinner

This comment has been minimized.

Copy link

ryanskinner commented Oct 31, 2017

+1

@mlamothe-broadsoft

This comment has been minimized.

Copy link

mlamothe-broadsoft commented Oct 31, 2017

+1

@chi42

This comment has been minimized.

Copy link

chi42 commented Nov 15, 2017

+1

@nikhithn

This comment has been minimized.

Copy link

nikhithn commented Dec 29, 2017

+1

@scf37

This comment has been minimized.

Copy link

scf37 commented Jan 29, 2018

AFAIK there is no way to call aws kms decrypt from bash with binary string as parameter. So the only way to avoid writing secrets to disk is to use Python and boto.

@lcharkiewicz

This comment has been minimized.

Copy link

lcharkiewicz commented Jan 29, 2018

@scf37 there is a way. You need to use process substitution for --ciphertext-blob parameter.
Example:

echo $(aws kms decrypt --ciphertext-blob fileb://<(echo -n "$YOUR_BASE64_CIPHERTEXT" | base64 --decode) --output text --query Plaintext | base64 --decode)
@ASayre

This comment has been minimized.

Copy link
Contributor

ASayre commented Feb 6, 2018

Good Morning!

We're closing this issue here on GitHub, as part of our migration to UserVoice for feature requests involving the AWS CLI.

This will let us get the most important features to you, by making it easier to search for and show support for the features you care the most about, without diluting the conversation with bug reports.

As a quick UserVoice primer (if not already familiar): after an idea is posted, people can vote on the ideas, and the product team will be responding directly to the most popular suggestions.

We’ve imported existing feature requests from GitHub - Search for this issue there!

And don't worry, this issue will still exist on GitHub for posterity's sake. As it’s a text-only import of the original post into UserVoice, we’ll still be keeping in mind the comments and discussion that already exist here on the GitHub issue.

GitHub will remain the channel for reporting bugs.

Once again, this issue can now be found by searching for the title on: https://aws.uservoice.com/forums/598381-aws-command-line-interface

-The AWS SDKs & Tools Team

This entry can specifically be found on UserVoice at: https://aws.uservoice.com/forums/598381-aws-command-line-interface/suggestions/33168328-add-kms-decrypt-argument-for-base64-encoded-input

@ASayre ASayre closed this Feb 6, 2018

@jamesls

This comment has been minimized.

Copy link
Member

jamesls commented Apr 6, 2018

Based on community feedback, we have decided to return feature requests to GitHub issues.

@jamesls jamesls reopened this Apr 6, 2018

@jpduckwo

This comment has been minimized.

Copy link

jpduckwo commented Apr 20, 2018

I'd love to see this feature. Just to reiterate why it's needed....

When you encrypt some data with the kms encrypt command the output is base64 encoded. Base64 encoded encrypted values are widely used. For example storing encrypted environment vars (this is how lamba encryption helpers work).

HOWEVER...

When you call the kms decrypt command the only option is to pass the encrypted data as binary (blob). So all the base64 values have to first be decoded to binary and then decrypted.

AND...

You can't pass the encrypted binary data via stdin to the command - so something like this doesn't work either... base64 --decode encrypted.base64 | aws kms decrypt You have to first convert the file to a binary version and then run the command with --ciphertext-blob

The morale of the story is... PLEASE add --ciphertext-base64 as an option. And while you're at it, it would be good to be able to support stdin too.

🙏😜

@jpduckwo

This comment has been minimized.

Copy link

jpduckwo commented Apr 20, 2018

Well I'll eat my words... it turns out you can use standard in (on *nix anyway)

Try this:

base64 --decode test.txt.encrypted.base64 | aws kms decrypt --ciphertext-blob fileb:///dev/stdin --output text --query Plaintext | base64 --decode

I hope that helps some of you too!

@mlamothe-broadsoft

This comment has been minimized.

Copy link

mlamothe-broadsoft commented Apr 23, 2018

Yes, but the base64 executable still needs to read from a file, which is an hassle and potential security risk to leave lying around.

Just like when encrypting, we need to be able to simply pass the base64 string on the command line which can only be done if that AWS CLI accepts base64 encoded text.

@agrawaltarun

This comment has been minimized.

Copy link

agrawaltarun commented May 4, 2018

I am trying to pass the KMS encrypted secret but do not want to create a separate file as do not want to add file handling routines. Surprised this is not implemented though looks like a doable ask.

@mohsinkerai

This comment has been minimized.

Copy link

mohsinkerai commented May 30, 2018

+1

@paulieborg

This comment has been minimized.

Copy link

paulieborg commented Aug 15, 2018

1 liner with no file (ugly but works)
echo "${KMS_ENCRYPTED_STRING}" | base64 -D | aws kms decrypt --ciphertext-blob fileb:///dev/stdin --output text --query Plaintext | base64 -D
(Props to @jpduckwo )

This is MacOS BTW ... you might need to use base64 -w 0 for Linux - I don't have a instance handy

@jamesls jamesls added the v2 label Oct 1, 2018

@kbuchsicf

This comment has been minimized.

Copy link

kbuchsicf commented Oct 25, 2018

I am really supportive of this request. If fileb:///dev/stdin is supported, then that should appear in the documentation. But, it is complicated. I think having --ciphertext-blob-file or --ciphertext-blob-64 would add a lot of clarity. I have a case where the base64 ciphertext is stored in DynamoDB. I need to retrieve that, base64 decode it and save it to a file (or send over a pipe) and then AWS CLI has to turn around and do the base64 encoding. Keeping ciphertexts and plaintexts off the file system is an important security feature.

@rdkls

This comment has been minimized.

Copy link

rdkls commented Dec 28, 2018

--ciphertext-blob-64

I think this the best solution - doesn't break existing implementations, leaving --ciphertext-blob as-is, but adds a sorely needed feature. @kyleknap if I implement will it be endorsed?

@hauntingEcho

This comment has been minimized.

Copy link

hauntingEcho commented Dec 28, 2018

reiterating something from #1043 - this doesn't need to be a separate argument, as : is not a valid character in any base64 variant I'm aware of. It could just be:
--ciphertext-blob proto://path (e.g. fileb://file.bin or file://file.txt)
and
--ciphertext-blob B64String

By my understanding, ciphertext-blob does not accept an argument without a protocol currently (as only fileb is supported), so this would not be a breaking change

@justinmchase

This comment has been minimized.

Copy link

justinmchase commented Dec 31, 2018

base64 is itself an accepted protocol in html image tags. It would be easy to just support a base64 protocol on the chiphertext blob, like:

aws kms decrypt --ciphertext-blob base64://${ENCRYPTED_B64_STRING} --output text --query Plaintext
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment