active_kms icon indicating copy to clipboard operation
active_kms copied to clipboard
verified publisher icon ankane

Use AWS Key ID on decryption

Open neilvcarvalho opened this issue 1 year ago • 0 comments

During decryption operations, when AWS KMS does not receive a key ID, AWS fetches it from the metadata it adds to the symmetric ciphertext blob. That means that KeyId is only required when using asymmetric keys. However, AWS recommends you always provide it:

However, it is always recommended as a best practice. This practice ensures that you use the KMS key that you intend.

This PR adds the key_id argument to AWS KMS decryptions.

In the use case I'm working on, each account has an AWS KMS key id/ARN saved to the database, and the data is encrypted and decrypted using this key. By definition, the server has access to all keys, so one account could decrypt data from another account if presented. Passing in the key ID adds another layer of protection against this potential bug.

neilvcarvalho avatar Aug 19 '24 14:08 neilvcarvalho