$ aws kms encrypt \
--key-id $KMS_KEY
--plaintext 'my-secret'
--output text
--query CiphertextBlob
> ./secret
Encrypting a secret gives us a binary string that’s base64 encoded. That’s right, two levels of encoding.
$ aws kms decrypt
--query Plaintext
--output text
--ciphertext-blob fileb://<(cat secret | base64 --decode)
| base64 --decode
my-secret%
Decrypting a secret takes a binary string as input (not a base64 encoded one!)
and returns a base64 encoded string. That means that the output we got from aws
kms encrypt
needs to be base64 decoded to a binary string and fed into aws
kms decrypt
.
Breaking down the parameters:
aws decrypt --ciphertext-blob
The secret in form of a binary string we want to decrypt.aws encrypt --key-id
The KMS key ID that we’ll use to encrypt our secret.--output text
JSON is the default output format of the aws cli. If the cli returns a JSON string it will be quoted, e.g"my-secret"
. Providing the--output
parameter strips the quotes from our string which is what we usually want.--query CiphertextBlob
By default the aws cli returns a JSON structure with the key and the secret. We only want the secret (CiphertextBlob
) so we’ll use query to filter the output.