使用 CiphertextBlob 作为字符串获取 InvalidCiphertextException

Question

I am trying to decrypt a string with AWS KMS, but I am getting an InvalidCiphertextException error (with no further information following the exception name).

I was originally decrypting in a node js lambda, using an environment variable as the source for encryptedString:

var params = {
    CiphertextBlob: Buffer.from(encryptedString, 'base64')
};
kms.decrypt(params, function(err, data) {
    if (err) {
        ...
    } else {
        ...
    }
}

I have also tried it with the CiphertextBlob value as a String, ie:

CiphertextBlob: encryptedString

The KMS key used to encrypt the value originally is a symmetric CMK so I believe I shouldn't need to pass in the key ID.

I also tried the same thing via awscli (passing in ciphertext-blob as a string) but got the same error:

aws kms decrypt --ciphertext-blob <encrypted string value> --query PlainText | base64 --decode

Passing in the key ID had no effect either.

I have used an online tool to validate that the encrypted string is base64. I'm not too clued up on base64 encoding so not sure if that's all it takes to prove the cipher text is valid.

I'm sure I'm failing with something fundamental - either my encrypted string is not base64 or not what decrypt expects, or I am missing some additional decrypt arguments perhaps.

Thanks in advance.

Answer 1

Based on the comments.

The issue is with decrypting SSM parameter. Thus, an encryption context must be provided during the decryption procedure. From docs :

Parameter Store includes this encryption context in calls to encrypt and decrypt the MyParameter parameter in an example AWS account and region.

"PARAMETER_ARN":"arn:aws:ssm:<REGION_NAME>:<ACCOUNT_ID>:parameter/<parameter-name>"

Therefore, if you are not using get_parameter with WithDecryption option set to True , you must provide the above encryption context during KMS decrypt operation.