Encrypting secrets with AWS KMS

$ aws kms encrypt \ --key-id $KMS_KEY --plaintext 'my-secret' --output text --query CiphertextBlob > ./secret Encrypting a secret gives us a binary string that’s base64 encoded. That’s right, two levels of encoding. $ aws kms decrypt --query Plaintext --output text --ciphertext-blob fileb://<(cat secret | base64 --decode) | base64 --decode my-secret% Decrypting a secret takes a binary string as input (not a base64 encoded one!) and returns a base64 encoded string.
Read more