By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ImportKeyMaterial request failed - InvalidCiphertextException

0

Hi,

I have encrypted a symmetric key by the downloaded wrappingKey, then upload the encrypted symmetric key with the importToken. Then it returns the error: ImportKeyMaterial request failed - InvalidCiphertextException.

After having some research in the internet, it is suggested to use "openssl rand -out symmetric.key 32", but the symmetric key I generated is using "openssl rand -base64 32 > symmetric.key; openssl rand -base64 16 >> symmetric.key". I can successfully import the key generated by the suggested command. Below is my enquiry

  1. is it not possible for me to upload a key generated by "openssl rand -base64 32 > symmetric.key; openssl rand -base64 16 >> symmetric.key"?
  2. Is there any guideline on symmetric key generation?

Thanks and Regards, KTMo

Topics
Security, Identity, & Compliance
Tags
AWS Key Management Service
Language
English
hkex-ktmo
asked 2 years ago1080 views
1 Answer
0

Hi,

I understand that you are receiving an error ”InvalidCiphertextException” when trying to import a key generated from the command “openssl rand -base64 32 > symmetric.key; openssl rand -base64 16 >> symmetric.key” .

In regards to your first question this would not be possible to use the command listed. You would need to ensure that the key material is a 256-bit symmetric key and the file size of the encrypted key material is 32 bytes. I am attaching the following documentation that goes over the error here (1).

For a guideline on symmetric key generation I am attaching the following documentation that has a step by step walk-through of how to create and import key material in AWS KMS (2). Lastly I am attaching the following that goes over the certain considerations when deciding to import key material into AWS KMS (3).

Let us know if you need any further information! I hope you have a great rest of your day!

References

(1) https://aws.amazon.com/premiumsupport/knowledge-center/invalidciphertext-kms/

(2) https://aws.amazon.com/premiumsupport/knowledge-center/import-keys-kms/

(3) https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-considerations

AWS
SUPPORT ENGINEER
Patrick_V
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content