aws kms - AWS KMS Decrypt Error Credstash

My aws account is in us-west-2 region. and the KMS key created in that account has ARN arn:aws:kms:us-east-1::key/. In my node module, I am using Credstash to decrypt the key which is encrypted using the KMS key. var credstash = new Credstash({ 'table': 'tablename', 'awsOpts': { 'region':'region' } });let secret = credstash.getSecret({name: 'keyname'}).then(result =>{ console.log(result);});;I am getting below exception. "The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not all...Read more

aws kms - Obtaining Data Keys using some KMS region master keys and then adding two more regions to get the same Data Key encrypted

I am generating a data encryption key implicitly as follows (key IDs used are just representational):from aws_encryption_sdk import encrypt# Key provider with only 2 region master keys to begin withkms_key_provider = KMSMasterKeyProvider(key_ids=[“west-1”, “west-2”])# encrypt something random only to get the encrypted data keys in the header from those 2 regionsmy_ciphertext, encryptor_header = encrypt(source=“somerandomplaintextofnorelevance”, key_provider= kms_key_provider, algorithm=AWSKeyProvider.DEFAULT_ALGORITHM, encryption_context={“some...Read more

aws kms - AWS KMS storing customer master key

I know I'm missing something here but I'm struggling to understand the customer master key concept in AWS KMS. Below is the sample code.Code to create master key:`CreateKeyRequest req = new CreateKeyRequest();CreateKeyResult result = kmsClient.createKey(req);String customerMasterKey = result.getKeyMetadata().getKeyId();`Code to create data key using customer master key:`GenerateDataKeyRequest dataKeyRequest = new GenerateDataKeyRequest();dataKeyRequest.setKeyId(customerMasterKey);dataKeyRequest.setKeySpec("AES_128");GenerateDataKeyResult dataKe...Read more

aws kms - aws-encryption-cli: How to decrypt using when profile was set during encryption?

I have a key in KMS that I want to use for decrypting in a shell script. I have installed aws-encryption-cli (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/crypto-cli.html).The hello world example works fine in my development environment, where I have created a kms-key (its arn is stored in the variable $dev_key_arn).> echo 'Hello World' | aws-encryption-cli --encrypt --master-keys key=$dev_key_arn --input - --output - --encode -S | aws-encryption-cli --decrypt --input - --output - --decode -SHello WorldI also have a pro...Read more