KMS) Envelope encryption with openssl and java decryption

It is a memorandum

Security is not very strong, so please refer to this method as well.

Generate KMS Data Key with AWS CLI

$ aws kms generate-data-key --key-spec "AES_128" --key-id "arn:aws:kms:REGION_NAME:ACCOUNT_ID:key/HOGEHOGE"

{
  "ciphertextBlob": "foo",
  "Plaintext" : "bar",
  "KeyId" : "KEY-ID"
}

The returned ciphertextBlog and Plaintext are Base64-encoded

Encrypt with Openssl

$ KEY=$(echo "bar" | base64 -d | od -A n -t x1 -v | sed -e 's/ //g')
$ openssl aes-128-ecb -e -in secret.txt -out encrypted.txt -base64  -K ${KEY}

KEY = KMS DataKey converted to HEX string (Request: Smarter way) Encrypted with the openssl command. At this time, the initialization vector is not required for block processing.

Decrypt with Java

String encryptedTxt = "baz";
String plainDataKey = "bar";

byte[] key = DatatypeConverter.parseBase64Binary(plainDataKey);

SecretKeySpec secretKey = new SecretKeySpec(key, "AES");

Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.DECRYPT_MODE, secretKey);

byte[] encrypted = DatatypeConverter.parseBase64Binary(encryptedTxt);

String decryptedTxt = new String(cipher.doFinal(encrypted));
System.out.println("result: " + decryptedTxt);

In the above example, plainDataKey is solid, but To be correct, plainDataKey should be obtained by decoding the ciphertextBlog by referring to the AWS documentation. Also, there is a statement in the AWS documentation to delete the used plainDataKey as soon as possible.

Other

If you want to do it right, you should generate the key and the initialization vector. Think of it as fun = reduced security.

Recommended Posts

KMS) Envelope encryption with openssl and java decryption
Java encryption and decryption PDF
Achieve OpenSSL compatible encryption with Java / PHP
Use java with MSYS and Cygwin
Distributed tracing with OpenCensus and Java
Install Java and Tomcat with Ansible
Use JDBC with Java and Scala.
Output PDF and TIFF with Java 8
Java encryption, decryption of Word documents
Encrypt with Java and decrypt with C #
Monitor Java applications with jolokia and hawtio
Link Java and C ++ code with SWIG
Let's try WebSocket with Java and javascript!
[Java] Reading and writing files with OpenCSV
Envelope encryption with AWS Key Management Service
RSA key pair creation / encryption / decryption sample (JAVA)
Build and test Java + Gradle applications with Wercker
JSON with Java and Jackson Part 2 XSS measures
Prepare a scraping environment with Docker and Java
Encrypt / decrypt with AES256 in PHP and Java
[Java] Convert and import file values with OpenCSV
[Review] Reading and writing files with java (JDK6)
Java and JavaScript
XXE and Java
[Java] Align characters even with mixed half-width and full-width characters
Solving with Ruby and Java AtCoder ABC129 D 2D array
[Java] How to encrypt with AES encryption with standard library
[Java] Refer to and set private variables with reflection
I want to transition screens with kotlin and java!
Prepare the environment for java11 and javaFx with Ubuntu 18.4
Face recognition app made with Amazon Rekognition and Java
[Java] Development with multiple files using package and import
Serverless Java EE starting with Quarkus and Cloud Run