Provided encryption materials do not match information retrieved from the encrypted object #4699
Unanswered
StanislavKozlovsky
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
We encountered strange behavior while migrating the s3 encryption client to V2.
We were guided by the following - s3-encryption-migration.
Initial state and dependencies:
We have several buckets with encrypted client data. Two microservices work with these buckets.
Microservice A - puts it in s3 and then encrypts it.
Microservice B - takes it out of s3 and decrypts it.
We use Java 17 and Amazon s3 encryption client V1.
Microservice A configuration aka "writer":
<amazon.aws.api.version>1.11.587</amazon.aws.api.version>
fs.kms.cmkId=alias/prod-fs-user-uploads
Microservice B configuration aka "reader":
<amazon.aws.api.version>1.11.587</amazon.aws.api.version>
fs.kms.cmkId=alias/env-fs-user-uploads
When starting migration, the first thing we did: update dependency versions on both microservices.
from
<amazon.aws.api.version>1.11.587</amazon.aws.api.version>
to
<amazon.aws.api.version>1.11.837</amazon.aws.api.version>
with redeploy of course.
After that, we first updated the "reader" client to V2 in this way:
After that, we redeployed the reader microservice and started testing in the test environment.
According to the documentation, CryptoMode.AuthenticatedEncryption can read V1 and V2 encrypted objects, but we encountered a strange error for new encrypted files:
Provided encryption materials do not match information retrieved from the encrypted object
Although old historical files are decrypted correctly.
During the investigation we found that the error comes from ContentCryptoMaterial.validateMaterialsForDecrypt.
KMSMaterialsHandler.isValidV1Description(materials.getMaterialsDescription(), mergedMatDesc) returns false
Because compares:
{"kms_cmk_id":"alias/env-fs-user-uploads"} with {kms_cmk_id=arn:aws:kms:eu-west-1:accountId:key/keyId}
As for old files both keys are "alias/env-fs-user-uploads".
We tried few manipulations with changing configured cmk id.(used full arn key and keyId).
So if we leave alias as it is - we can't decrypt new files, but if we are using full arn key - then old files couldn't be decrypted without that error.
Could you please have a look and assist?
Since we did not find a similar problem on the forums, perhaps we missed something.
Thanks
Beta Was this translation helpful? Give feedback.
All reactions