Bobcares
Client Area
Emergency Support
Amazon Web Services (AWS) | Latest

AWS KMS key error “InvalidCiphertext”

Stuck with AWS KMS key error “InvalidCiphertext”? We can help you.

Recently, one of our customers in AWS KMS specified the KMS key material origin as external, RSAES_OAEP_SHA_256 as the algorithm for the wrapping key, and used OpenSSL to encrypt the key material with the wrapping key.

However, during the import, the request fails, and results in, “InvalidCiphertext”.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how we can avoid this import error.

 

AWS KMS key error InvalidCiphertext

By default, OpenSSL uses the SHA-1 hash function.

Moving ahead, our Support Techs discuss the procedure to import key material into AWS KMS using OpenSSL and RSAES_OAEP_SHA_256.

 

  • Create a KMS key using External for the key material origin

We run the following AWS CLI commands to create a KMS for external key material.

In addition, we need to make sure we use the most recent version of the AWS CLI.

export REGION=us-east-1
export KEY_ALIAS=kms_key_with_externalmaterial
export KEY_ID=`aws kms create-key --region $REGION --origin EXTERNAL --description $KEY_ALIAS --query KeyMetadata.KeyId --output text`
aws kms --region $REGION create-alias --alias-name alias/$KEY_ALIAS --target-key-id $KEY_
 
Note that, we have to replace the export REGION and export KEY_ALIAS values with appropriate details.
 
Until we import the key material, the new KMS key status will be, Pending Import,
 
To view the status, we can run:
 
aws kms --region $REGION describe-key --key-id $KEY_ID
 
 
 
     
  •  
    Download the wrapping (public) key and the import token
     
    •  
 
To get the PublicKey (wrapping key) and ImportToken values, we run the following AWS CLI commands.
 
Then we decode both values using base64 and store them into separate files.
 
The RSAES_OAEP_SHA_256 wrapping algorithm is in the get-parameters-for-import command.
 
export KEY_PARAMETERS=`aws kms --region $REGION get-parameters-for-import --key-id $KEY_ID --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048`
echo $KEY_PARAMETERS | awk '{print $7}' | tr -d '",' | base64 --decode > PublicKey.bin
echo $KEY_PARAMETERS | awk '{print $5}' | tr -d '",' | base64 --decode > ImportToken.bin
 
They store the wrapping key in PublicKey.bin and the import token in ImportToken.bin.
 
 
 
     
  •  
    Generate a 256-bit symmetric key
     
    •  
 
Generally, the key material will be a 256-bit (32-byte) symmetric key.
 
In order to generate the key, we run one of the following commands:
 
OpenSSL:
 
openssl rand -out PlaintextKeyMaterial.bin 32
 
Or, dd:
 
dd if=/dev/urandom of=PlaintextKeyMaterial.bin bs=32 count=1
 
 
 
     
  •  
    Verify that the OpenSSL version supports openssl pkeyutl
     
    •  
 
We use the openssl pkeyutl command to encrypt the key material with RSAES_OAEP_SHA_256 as the wrapping algorithm.
 
For an RHEL-based Linux computer, our Support Techs recommend the steps below:
 
1. First, we check the OpenSSL version:
 
openssl version
 
2. Then to update OpenSSL, we run:
 
sudo yum –y update openssl
 
For a macOS, we recommend these steps:
 
1. Initially, we run the following Homebrew commands.
 
brew update
brew upgrade openssl
brew info openssl
 
2. The last command will result that OpenSSL is installed in /usr/local/opt/openssl/bin/.
 
To confirm this, we run:
 
/usr/local/opt/openssl/bin/openssl version
 
3. For the most recent OpenSSL version, we edit ~/.bash_profile and add the following line at the end of the file:
 
export PATH="/usr/local/opt/openssl/bin:$PATH"
 
4. Once done, we run the following command:
 
source ~/.bash_profile
 
5. To verify the change in the macOS environment, we run:
 
echo $PATH
openssl version
 
 
 
     
  •  
    Encrypt the key material with the wrapping key
     
    •  
 
To encrypt the key material using the most recent version of OpenSSL and the wrapping key, we run:
 
openssl pkeyutl -in PlaintextKeyMaterial.bin -out EncryptedKeyMaterial.bin -inkey PublicKey.bin -keyform DER \
-pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep
 
As a result, the command generates EncryptedKeyMaterial.bin. We import this value as the encrypted key material into the KMS.
 
Generally, we can find the wrapping key in PublicKey.bin.
 
 
 
     
  •  
    Import the encrypted key material
     
    •  
 
To import the encrypted key material into the KMS key, we run:
 
aws kms --region $REGION import-key-material --key-id $KEY_ID --encrypted-key-material fileb://EncryptedKeyMaterial.bin --import-token fileb://ImportToken.bin --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE
 
Once done, the key’s status will change to Enabled.
 
We can ensure the key’s status via:
 
aws kms --region $REGION describe-key --key-id $KEY_ID
 
[Stuck in between? We’d be glad to assist you.]
 
 
 
Conclusion
 
In short, we saw how our Support Techs fix the AWS KMS key error.
 
 
PREVENT YOUR SERVER FROM CRASHING!
 
Never again lose customers to poor server speed! Let us help you.
 
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
 
GET STARTED
 
 
 
  
Related posts:
     
  1. AWS error code 0x204 – How we tackle it
    2.  
  2. How to setup AWS CloudFront and how it delivers content
    3.  
  3. AWS s3 lambda 500 Internal Service Error – how to resolve
    4.  
  4. AWS EC2 kernel panic after system upgrade – How to resolve
    5.
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. AWS error code 0x204 – How we tackle it
  2. How to setup AWS CloudFront and how it delivers content
  3. AWS s3 lambda 500 Internal Service Error – how to resolve
  4. AWS EC2 kernel panic after system upgrade – How to resolve

Top Categories

Speed issues driving customers away?
We’ve got your back!

OPTIMIZE TODAY

Privacy Preference Center

Consent Management

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience.

Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Privacy Policy

Required
By using this site, you agree to our Privacy Policy.

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

Cookies Used

Required
PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]

livechat.bobcares.com

Opt Out
PHPSESSID

my.bobcares.com

Opt Out
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

Cookies Used

_ga, _gat, _gid

google.com

Opt Out
_ga, _gat, _gid

manager.smartlook.com

Opt Out
smartlookCookie

clarity.microsoft.com

Opt Out
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

Cookies Used

IDE, test_cookie, 1P_JAR, NID, DV, NID

doubleclick.net

Opt Out
IDE, test_cookie

google.co.in

Opt Out
1P_JAR, NID, DV

google.com

Opt Out
NID

olark.com

Opt Out
hblid

rb2b.com

Opt Out
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

Cookies Used

SID, APISID, HSID, NID, PREF

google.com

Opt Out
SID, APISID, HSID, NID, PREF