I used OpenSSL to import my encrypted key material into AWS Key Management Service (AWS KMS). However, the request failed, and I received the "InvalidCiphertext" error.
Short description
By default, OpenSSL uses the SHA-1 hash function (RSAES_OAEP_SHA_256 algorithm).
To avoid import errors when you use the RSAES_OAEP_SHA_256 algorithm, use OpenSSL to encrypt your key material. Run the openssl pkeyutl command, and specify the parameters -pkeyopt rsa_padding_mode:oaep and -pkeyopt rsa_oaep_md:sha256.
Resolution
Use "external" for the key material origin to create an AWS KMS key
If you receive errors when you run AWS Command Line Interface AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Run the create-key and create-alias AWS CLI commands to create an AWS KMS for external key material:
export REGION=example-region-1export KEY_ALIAS=kms_key_with_externalmaterial
export KEY_ID=`aws kms create-key --region $REGION --origin EXTERNAL --description $KEY_ALIAS --query KeyMetadata.KeyId --output text`
aws kms --region $REGION create-alias --alias-name alias/$KEY_ALIAS --target-key-id $KEY_ID
Note: Replace the example-region-1 and kms_key_with_externalmaterial with your key's values.
Until you import the key material, the AWS KMS key status remains in Pending Import. Run the following command to view the key's status:
aws kms --region $REGION describe-key --key-id $KEY_ID
Download the wrapping public key and the import token
Run the get-parameters-for-import AWS CLI command to get the PublicKey and ImportToken values:
export KEY_PARAMETERS=`aws kms --region $REGION get-parameters-for-import --key-id $KEY_ID --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048`echo $KEY_PARAMETERS | awk '{print $7}' | tr -d '",' | base64 --decode > PublicKey.bin
echo $KEY_PARAMETERS | awk '{print $5}' | tr -d '",' | base64 --decode > ImportToken.bin
Use base64 to decode both values, and then store these values in separate files.
The wrapping public key is stored in PublicKey.bin and the import token is stored in ImportToken.bin.
Generate a 256-bit symmetric key
The key material must be a 256-bit (32-byte) symmetric key. Run one of the following commands to generate the key:
OpenSSL
openssl rand -out PlaintextKeyMaterial.bin 32
-or-
dd
dd if=/dev/urandom of=PlaintextKeyMaterial.bin bs=32 count=1
Verify that your OpenSSL version supports openssl pkeyutl
Important: The pkeyutl command is available only on OpenSSL version 1.0.2 and later versions.
If you use a Red Hat Enterprise Linux (RHEL) based Linux computer, such as an instance launched with an Amazon Linux Amazon Machine Image (AMI), then complete the following these steps:
-
Run the following command to check your OpenSSL version:
openssl version
-
To update OpenSSL, run the following command:
sudo yum -y update openssl
If you use macOS, then complete the following these steps:
-
Run the following Homebrew commands:
brew updatebrew upgrade openssl
brew info openssl
Note: The info openssl command shows you that OpenSSL is installed in /usr/local/opt/openssl/bin/.
-
Run the following command to confirm the OpenSSL version:
/usr/local/opt/openssl/bin/openssl version
-
To always use the most recent OpenSSL version, add the following line at the end of ~/.bash_profile:
export PATH="/usr/local/opt/openssl/bin:$PATH"
-
Run the following command:
source ~/.bash_profile
-
To verify the change in your macOS environment, run the following command:
echo $PATHopenssl version
Encrypt your key material with the wrapping public key
To use the most recent version of OpenSSL and the wrapping public key to encrypt your key material, run the openssl pkeyutl command:
openssl pkeyutl -in PlaintextKeyMaterial.bin -out EncryptedKeyMaterial.bin -inkey PublicKey.bin -keyform DER \ -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
The command generates EncryptedKeyMaterial.bin. Import this value as the encrypted key material into the AWS KMS key.
Note: The wrapping pubic key is stored in PublicKey.bin.
Import your encrypted key material
Complete the following steps:
-
Run the import-key-material AWS CLI command to import the encrypted key material into the AWS KMS key:
aws kms --region $REGION import-key-material --key-id $KEY_ID --encrypted-key-material fileb://EncryptedKeyMaterial.bin --import-token fileb://ImportToken.bin --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE
Note: After the import completes, the key's status changes to Enabled.
-
Run the describe-key AWS CLI command to verify the key's status:
aws kms --region $REGION describe-key --key-id $KEY_ID