0

I'm encrypting a file using the AWS Encryption CLI using a command like so:

aws-encryption-cli --encrypt --input test.mp4 --master-keys key=arn:aws:kms:us-west-2:123456789012:key/exmaple-key-id --output . --metadata-output -

From the output of the command, I can clearly see that it's using an Initialization Vector (IV) of strength 12, which is great, but how do I actually view the IV? In order to pass the encrypted file to another service, like AWS Elastic Transcoder, where it'll do the decryption itself, I need to actually know what the IV was that was used for encrypting the file.

{
    "header": {
        "algorithm": "AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384",
        "content_type": 2,
        "encrypted_data_keys": [{
            "encrypted_data_key": "...............",
            "key_provider": {
                "key_info": "............",
                "provider_id": "..........."
            }
        }],
        "encryption_context": {
            "aws-crypto-public-key": "..............."
        },
        "frame_length": 4096,
        "header_iv_length": 12,
        "message_id": "..........",
        "type": 128,
        "version": "1.0"
    },
    "input": "/home/test.mp4",
    "mode": "encrypt",
    "output": "/home/test.mp4.encrypted"
}
4

1 回答 1

3

Unfortunately, you won't be able to use the AWS Encryption SDK CLI to encrypt data for Amazon Elastic Transcoder's consumption.

One of the primary benefits of the AWS Encryption SDK is the message format[1] which packages all necessary information about the encrypted message into a binary blob and provides a more scalable way of handling large messages. Extracting the data primitives from that blob is not recommended and even if you did, they may or may not be directly compatible with another system, depending on how you used the AWS Encryption SDK and what that other system expects.

In the case of Elastic Transcoder, they expect the raw ciphertext encrypted using the specified AES mode[2]. This is not compatible with the AWS Encryption SDK format.

[1] https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html

[2] https://docs.aws.amazon.com/elastictranscoder/latest/developerguide/create-job.html#create-job-request-inputs-encryption

于 2018-02-20T23:30:24.430 回答