KMS

Let’s say you as an attacker find an encrypted blob and you wish to use the AWS CLI tool to decrypt the data. This is not necessarily a straightforward process as the AWS CLI stores the encrypted blob using several rounds of base64 encoding, and while you can attempt to just send the file blob over, what you will find is that there is very little documentation to make this work. Here is an encrypt/decrypt set of steps that will work:

This takes a file that is plaintext, run it through the system, outputting the Ciphertext blob of the output as text, base64 decode it, then base64 encode it with each line being 76 characters in length. This will then store it in a format that we can easily decode.

aws kms encrypt –key-id <KeyId> --plaintext fileb://my-plainfile-text --query CiphertextBob –output text | base64 –d | base64 –w 76 > ciphertext-data.txt

How would we decrypt it? We have to cat the file out as if it was a file and base64 decode it while doing it. Then we can run the plaintext through another round of base64 to decode it. Ugly? You bet!

aws kms decrypt --ciphertext-blob fileb://<(cat ciphertext-data.txt | base64 –d ) --output text –query Plaintext | base64 –d > decrypt-file.txt