AWS KMS - Store/Use Ciphertext Blob

Question

I'm just getting myself setup with the AWS Key Management Service and am calling the method generateDataKey. The method is working and returning the CiphertextBlob and the Plaintext blob.

However, the blobs are formatted something like:

�g�'��w�i�<��a*\B4p 1IG

I'm using the API so, according to the docs, it is not encoded. I'm trying to understand if the Plaintext can somehow be "decoded" in PHP so I can store it / use it without all the odd looking ASCII characters. What I was expecting was a long string of characters and not the special characters above. I feel like I'm missing something simple.

Thank you!

Answer 1

The answer is a binary blob. These will need to be base64 encoded so that you'll get the expected result.

Sample code follows:

use Aws\Kms\KmsClient;

$options = [
    'region'                => 'eu-west-1',
    'version'               => '2014-11-01',
    'profile'               => 'default',
    'retries'               => 0,
    'scheme'                => 'https',
    'debug'                 => false
];

$kmsClient = new KmsClient($options);

$result = $kmsClient->generateDataKey([
    'KeyId' => '12345678-1234-1233-1234-1234567890ab',
    'KeySpec' => 'AES_256'
]);

echo base64_encode($result["CiphertextBlob"]);
echo "\r\n";
echo ($result["KeyId"]);

Answer 2

You will need to encode the blobs in base64 encoding in order to conform to the API.