How do I use OpenSSL to encrypt a file with AWS KMS asymmetric keys?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Create the RSA key pair, download the public key, and create an AES 256-bit key

Complete the following steps:

1. Create the RSA key pair.
2. To download the public key, run the get-public-key AWS CLI command:

   aws kms get-public-key --key-id your-key-id --output text --query 'PublicKey' > RSAPublic.b64 && base64 -d RSAPublic.b64 > RSAPublic.bin

   Note: Replace your-key-id with your asymmetric key ID. The --query function gets the public key and then decodes the base64 file to a DER key.
3. Run the following OpenSSL rand command to create an Advanced Encryption Standard (AES) 256-bit key:

   openssl rand -base64 32 > key.bin

Encrypt your data

Complete the following steps:

1. Run the following OpenSSL enc command with the key.bin file:

   openssl enc -aes-256-cbc -salt -pbkdf2 -in FILE_TO_ENCRYPT -out FILE_TO_ENCRYPT.enc -pass file:./key.bin

   Note: Replace FILE_TO_ENCRYPT with the name of your file. The -pbkdf2 command is only available with OpenSSL 1.1.1. Amazon Linux 2 Amazon Machine Image (AMI) uses OpenSSL 1.0.2 and doesn't support the -pbkdf2 command.
2. Encrypt the key.bin file with the AWS KMS public key. This secures your key data. Only users that have access to your AWS KMS private key can access the key.bin file. To do so, run the OpenSSL pkeyutl command:

   openssl pkeyutl -in key.bin -out enc.key.bin -inkey RSAPublic.bin -keyform DER -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

   Note: The pkeyutl command uses an encryption algorithm that supports decryption by the AWS KMS API RSAES_OAEP_SHA_256. The AWS KMS public key RSAPublic.bin encrypts the AES 256-bit key and creates a new file that's named enc.key.bin.
3. To encrypt the key.bin file so that users must decrypt the enc.key.bin file to access key.bin, run the rm AWS CLI command:

   aws s3 rm key.bin && rm FILE_TO_ENCRYPT

   Note: Replace FILE_TO_ENCRYPT with the name of your file.
4. (Optional) Delete the original file that you wanted to encrypt so that users can't access the file.

You now have the following resources:

• The encrypted data in the FILE_TO_ENCRYPT.enc file.
• The encrypted AES 256-bit key enc.key.bin.
• The AWS KMS public key RSAPublic.bin.

Note: Users with encrypted data must send you the files to decrypt.

Decrypt your files

To retrieve the encrypted data, decrypt enc.key.bin, and then use that key to decrypt the file FILE_TO_ENCRYPT.enc.

Note: You must have access to the AWS KMS API because the AWS KMS private key isn't viewable in plaintext.

Complete the following steps:

1. To decrypt the enc.key.bin file and send it to the AWS KMS API, run the decrypt AWS CLI command:

   aws kms decrypt --key-id your-key-id --ciphertext-blob fileb://enc.key.bin --encryption-algorithm RSAES_OAEP_SHA_256 --output text --query 'Plaintext' | base64 --decode > decryptedKey.bin

   Note: Replace your-key-id with your key ID. The --query function selects the plaintext and then decodes the base64 value to the decryptedKey.bin file.
2. To output the decrypted file, use the decryptedKey.bin file when you run the following OpenSSL enc command:

   openssl enc -d -aes-256-cbc -pbkdf2 -in FILE_TO_ENCRYPT.enc -out DECRYPTED_FILE -pass file:./decryptedKey.bin

   Note: Replace DECRYPTED_FILE with the name of your file.
3. To verify that the encryption and decryption completed successfully, compare the DECRYPTED_FILE and FILE_TO_ENCRYPT.