About the decrypt of KMS

In the lecture of "AWS Key Management Service (KMS)", the decrypt command is as follow "decrypt_passwd = kms.decrypt(CyphertextBlob=encrypt_passwd)". My question is why this process doesn't need the CMK (ie. the "tempKey" used for encryption) for decryption?

  • post-author-pic
    Fernando M
    09-17-2018

    Hello  @jli256 ! Great question! 


    I actually wondered the same thing the first time I used this API call. KMS can actually take the ciphertext itself and figure out which key was used in the encryption process because the ciphertext includes metadata. It's kind of nice because it saves you a step and you don't have to pass in an additional parameter for the key name. The way I figured this out orignally was by reading the API operation on the boto3 documentation and seeing a little sentence that says "The blob includes metadata". 

    https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/kms.html#KMS.Client.decrypt

  • post-author-pic
    jli256
    09-18-2018

    Hi Fernando, I really enjoy your lecture! Thank you so much for the explaination, I'll go through it in more detail :-)

  • post-author-pic
    Fernando M
    09-18-2018

    Thanks  @jli256 ! Glad you're enjoying it so far :D

Looking For Team Training?

Learn More