How do I resolve the "InvalidCiphertext" error when I try to use OpenSSL to import my key into AWS KMS?

4 minute read

I used OpenSSL to import my encrypted key material into AWS Key Management Service (AWS KMS). However, the request failed, and I received the "InvalidCiphertext" error.

Short description

By default, OpenSSL uses the SHA-1 hash function (RSAES_OAEP_SHA_256 algorithm).

To avoid import errors when you use the RSAES_OAEP_SHA_256 algorithm, use OpenSSL to encrypt your key material. Run the openssl pkeyutl command, and specify the parameters -pkeyopt rsa_padding_mode:oaep and -pkeyopt rsa_oaep_md:sha256.


Use "external" for the key material origin to create an AWS KMS key

If you receive errors when you run AWS Command Line Interface AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Run the create-key and create-alias AWS CLI commands to create an AWS KMS for external key material:

export REGION=example-region-1export KEY_ALIAS=kms_key_with_externalmaterial
export KEY_ID=`aws kms create-key --region $REGION --origin EXTERNAL --description $KEY_ALIAS --query KeyMetadata.KeyId --output text`
aws kms --region $REGION create-alias --alias-name alias/$KEY_ALIAS --target-key-id $KEY_ID

Note: Replace the example-region-1 and kms_key_with_externalmaterial with your key's values.

Until you import the key material, the AWS KMS key status remains in Pending Import. Run the following command to view the key's status:

aws kms --region $REGION describe-key --key-id $KEY_ID

Download the wrapping public key and the import token

Run the get-parameters-for-import AWS CLI command to get the PublicKey and ImportToken values:

export KEY_PARAMETERS=`aws kms --region $REGION get-parameters-for-import --key-id $KEY_ID --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048`echo $KEY_PARAMETERS | awk '{print $7}' | tr -d '",' | base64 --decode > PublicKey.bin
echo $KEY_PARAMETERS | awk '{print $5}' | tr -d '",' | base64 --decode > ImportToken.bin

Use base64 to decode both values, and then store these values in separate files.

The wrapping public key is stored in PublicKey.bin and the import token is stored in ImportToken.bin.

Generate a 256-bit symmetric key

The key material must be a 256-bit (32-byte) symmetric key. Run one of the following commands to generate the key:


openssl rand -out PlaintextKeyMaterial.bin 32



dd if=/dev/urandom of=PlaintextKeyMaterial.bin bs=32 count=1

Verify that your OpenSSL version supports openssl pkeyutl

Important: The pkeyutl command is available only on OpenSSL version 1.0.2 and later versions.

If you use a Red Hat Enterprise Linux (RHEL) based Linux computer, such as an instance launched with an Amazon Linux Amazon Machine Image (AMI), then complete the following these steps:

  1. Run the following command to check your OpenSSL version:

    openssl version
  2. To update OpenSSL, run the following command:

    sudo yum -y update openssl

If you use macOS, then complete the following these steps:

  1. Run the following Homebrew commands:

    brew updatebrew upgrade openssl
    brew info openssl

    Note: The info openssl command shows you that OpenSSL is installed in /usr/local/opt/openssl/bin/.

  2. Run the following command to confirm the OpenSSL version:

    /usr/local/opt/openssl/bin/openssl version
  3. To always use the most recent OpenSSL version, add the following line at the end of ~/.bash_profile:

    export PATH="/usr/local/opt/openssl/bin:$PATH"
  4. Run the following command:

    source ~/.bash_profile
  5. To verify the change in your macOS environment, run the following command:

    echo $PATHopenssl version

Encrypt your key material with the wrapping public key

To use the most recent version of OpenSSL and the wrapping public key to encrypt your key material, run the openssl pkeyutl command:

openssl pkeyutl -in PlaintextKeyMaterial.bin -out EncryptedKeyMaterial.bin -inkey PublicKey.bin -keyform DER \            -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

The command generates EncryptedKeyMaterial.bin. Import this value as the encrypted key material into the AWS KMS key.

Note: The wrapping pubic key is stored in PublicKey.bin.

Import your encrypted key material

Complete the following steps:

  1. Run the import-key-material AWS CLI command to import the encrypted key material into the AWS KMS key:

    aws kms --region $REGION import-key-material --key-id $KEY_ID --encrypted-key-material fileb://EncryptedKeyMaterial.bin --import-token fileb://ImportToken.bin --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

    Note: After the import completes, the key's status changes to Enabled.

  2. Run the describe-key AWS CLI command to verify the key's status:

    aws kms --region $REGION describe-key --key-id $KEY_ID
AWS OFFICIALUpdated a month ago