Encrypting secrets with AWS KMS

Posted on Mar 12, 2018

aws kms secrets

$ aws kms encrypt \
    --key-id $KMS_KEY
    --plaintext 'my-secret'
    --output text
    --query CiphertextBlob
    > ./secret

Encrypting a secret gives us a binary string that’s base64 encoded. That’s right, two levels of encoding.

$ aws kms decrypt
    --query Plaintext
    --output text
    --ciphertext-blob fileb://<(cat secret | base64 --decode)
    | base64 --decode
my-secret%

Decrypting a secret takes a binary string as input (not a base64 encoded one!) and returns a base64 encoded string. That means that the output we got from aws kms encrypt needs to be base64 decoded to a binary string and fed into aws kms decrypt.

Breaking down the parameters:

aws decrypt --ciphertext-blob The secret in form of a binary string we want to decrypt.
aws encrypt --key-id The KMS key ID that we’ll use to encrypt our secret.
--output text JSON is the default output format of the aws cli. If the cli returns a JSON string it will be quoted, e.g "my-secret". Providing the --output parameter strips the quotes from our string which is what we usually want.
--query CiphertextBlob By default the aws cli returns a JSON structure with the key and the secret. We only want the secret (CiphertextBlob) so we’ll use query to filter the output.