It is a memorandum
Security is not very strong, so please refer to this method as well.
$ aws kms generate-data-key --key-spec "AES_128" --key-id "arn:aws:kms:REGION_NAME:ACCOUNT_ID:key/HOGEHOGE"
{
"ciphertextBlob": "foo",
"Plaintext" : "bar",
"KeyId" : "KEY-ID"
}
The returned ciphertextBlog and Plaintext are Base64-encoded
$ KEY=$(echo "bar" | base64 -d | od -A n -t x1 -v | sed -e 's/ //g')
$ openssl aes-128-ecb -e -in secret.txt -out encrypted.txt -base64 -K ${KEY}
KEY = KMS DataKey converted to HEX string (Request: Smarter way) Encrypted with the openssl command. At this time, the initialization vector is not required for block processing.
String encryptedTxt = "baz";
String plainDataKey = "bar";
byte[] key = DatatypeConverter.parseBase64Binary(plainDataKey);
SecretKeySpec secretKey = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.DECRYPT_MODE, secretKey);
byte[] encrypted = DatatypeConverter.parseBase64Binary(encryptedTxt);
String decryptedTxt = new String(cipher.doFinal(encrypted));
System.out.println("result: " + decryptedTxt);
In the above example, plainDataKey is solid, but To be correct, plainDataKey should be obtained by decoding the ciphertextBlog by referring to the AWS documentation. Also, there is a statement in the AWS documentation to delete the used plainDataKey as soon as possible.
If you want to do it right, you should generate the key and the initialization vector. Think of it as fun = reduced security.
Recommended Posts