Stuck with AWS KMS key error “InvalidCiphertext”? We can help you.

Recently, one of our customers in AWS KMS specified the KMS key material origin as external, RSAES_OAEP_SHA_256 as the algorithm for the wrapping key, and used OpenSSL to encrypt the key material with the wrapping key.

However, during the import, the request fails, and results in, “InvalidCiphertext”.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how we can avoid this import error.

AWS KMS key error InvalidCiphertext

By default, OpenSSL uses the SHA-1 hash function.

Moving ahead, our Support Techs discuss the procedure to import key material into AWS KMS using OpenSSL and RSAES_OAEP_SHA_256.

• Create a KMS key using External for the key material origin

We run the following AWS CLI commands to create a KMS for external key material.

In addition, we need to make sure we use the most recent version of the AWS CLI.

export REGION=us-east-1
export KEY_ALIAS=kms_key_with_externalmaterial
export KEY_ID=`aws kms create-key --region $REGION --origin EXTERNAL --description $KEY_ALIAS --query KeyMetadata.KeyId --output text`
aws kms --region $REGION create-alias --alias-name alias/$KEY_ALIAS --target-key-id $KEY_

Note that, we have to replace the export REGION and export KEY_ALIAS values with appropriate details.

Until we import the key material, the new KMS key status will be, Pending Import,

To view the status, we can run:

aws kms --region $REGION describe-key --key-id $KEY_ID

• Download the wrapping (public) key and the import token

To get the PublicKey (wrapping key) and ImportToken values, we run the following AWS CLI commands.

Then we decode both values using base64 and store them into separate files.

The RSAES_OAEP_SHA_256 wrapping algorithm is in the get-parameters-for-import command.

export KEY_PARAMETERS=`aws kms --region $REGION get-parameters-for-import --key-id $KEY_ID --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048`
echo $KEY_PARAMETERS | awk '{print $7}' | tr -d '",' | base64 --decode > PublicKey.bin
echo $KEY_PARAMETERS | awk '{print $5}' | tr -d '",' | base64 --decode > ImportToken.bin

They store the wrapping key in PublicKey.bin and the import token in ImportToken.bin.

• Generate a 256-bit symmetric key

Generally, the key material will be a 256-bit (32-byte) symmetric key.

In order to generate the key, we run one of the following commands:

OpenSSL:

openssl rand -out PlaintextKeyMaterial.bin 32

Or, dd:

dd if=/dev/urandom of=PlaintextKeyMaterial.bin bs=32 count=1

• Verify that the OpenSSL version supports openssl pkeyutl

We use the openssl pkeyutl command to encrypt the key material with RSAES_OAEP_SHA_256 as the wrapping algorithm.

For an RHEL-based Linux computer, our Support Techs recommend the steps below:

1. First, we check the OpenSSL version:

openssl version

2. Then to update OpenSSL, we run:

sudo yum –y update openssl

For a macOS, we recommend these steps:

1. Initially, we run the following Homebrew commands.

brew update
brew upgrade openssl
brew info openssl

2. The last command will result that OpenSSL is installed in /usr/local/opt/openssl/bin/.

To confirm this, we run:

/usr/local/opt/openssl/bin/openssl version

3. For the most recent OpenSSL version, we edit ~/.bash_profile and add the following line at the end of the file:

export PATH="/usr/local/opt/openssl/bin:$PATH"

4. Once done, we run the following command:

source ~/.bash_profile

5. To verify the change in the macOS environment, we run:

echo $PATH
openssl version

• Encrypt the key material with the wrapping key

To encrypt the key material using the most recent version of OpenSSL and the wrapping key, we run:

openssl pkeyutl -in PlaintextKeyMaterial.bin -out EncryptedKeyMaterial.bin -inkey PublicKey.bin -keyform DER \
-pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep

As a result, the command generates EncryptedKeyMaterial.bin. We import this value as the encrypted key material into the KMS.

Generally, we can find the wrapping key in PublicKey.bin.

• Import the encrypted key material

To import the encrypted key material into the KMS key, we run:

aws kms --region $REGION import-key-material --key-id $KEY_ID --encrypted-key-material fileb://EncryptedKeyMaterial.bin --import-token fileb://ImportToken.bin --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

Once done, the key’s status will change to Enabled.

We can ensure the key’s status via:

aws kms --region $REGION describe-key --key-id $KEY_ID

[Stuck in between? We’d be glad to assist you.]

Conclusion

In short, we saw how our Support Techs fix the AWS KMS key error.