Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt support #140

Open
edwardysun opened this issue Jul 31, 2024 · 4 comments
Open

Encrypt support #140

edwardysun opened this issue Jul 31, 2024 · 4 comments

Comments

@edwardysun
Copy link

I noticed that the kmstool-enclave-cli only supports a decrypt, genkey, and genrandom. Is there a reason why encrypt is not supported? I'd like to call a KMS encrypt operation on a plaintext inside the enclave. What is the best approach for doing that?

Thank you
@richardfan1126
Copy link
Contributor

Hi @edwardysun

The KMS encrypt action doesn't support attestation document. So we cannot implement it

https://docs.aws.amazon.com/enclaves/latest/user/kms.html

@edwardysun
Copy link
Author

I see. Would an alternate approach like this be valid?

  1. Generate a data key (using kmstool's genkey) - creating (Plaintext, Ciphertext) pair
  2. Encrypt the value I intend to keep secret with the Plaintext from above. Store this encrypted value and the Ciphertext from above. Do this encryption outside of KMS
  3. When I need to decrypt, call kmstool decrypt with Ciphertext from step 1 to receive Plaintext. Use this to decrypt the encrypted value in step 2

Feels like a bit of a workaround. Am I not considering something that would cause this approach to be insecure?

@richardfan1126
Copy link
Contributor

I see. Would an alternate approach like this be valid?

  1. Generate a data key (using kmstool's genkey) - creating (Plaintext, Ciphertext) pair
  2. Encrypt the value I intend to keep secret with the Plaintext from above. Store this encrypted value and the Ciphertext from above. Do this encryption outside of KMS
  3. When I need to decrypt, call kmstool decrypt with Ciphertext from step 1 to receive Plaintext. Use this to decrypt the encrypted value in step 2

Feels like a bit of a workaround. Am I not considering something that would cause this approach to be insecure?

@edwardysun Correct, this is actually what Genkey is intended to achieve.

Just make sure the "Plaintext" is properly discarded after the encryption

@edwardysun
Copy link
Author

Got it, thank you!

I just tried this out, but the cli appears to not be returning any response in stdout or stderr. I've verified the KMS key ID, region, credentials, and the access policy of the key contains kms:GenerateDataKey for the enclave. What scenario does the cli not return a response?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@edwardysun @richardfan1126