I would like to decrypt a CSV dump of an Amazon Redshift table locally.
I m using the unload
command and client side encryption since the data contains sensitive information.
The command i am using is like this:
unload ('select * from testtable.test')
to 's3://unload'
credentials 'aws_access_key_id=<AWS_KEY_ID>;aws_secret_access_key=<AWS_SECRET_KEY_ID>;master_symmetric_key=<MASTER_KEY>'
delimiter as ','
addquotes
escape
encrypted
ALLOWOVERWRITE
to generate a master_key i used the follwing command:
openssl enc -aes-256-cbc -pass pass:<mypass> -P -nosalt -base64
This outputs:
key=....
iv =....
I used the key
as the `master_symmetric_key.
I copy the s3 data locally and try to decrypt like this:
openssl enc -aes-256-cbc -d -nosalt -base64 -in 0000_part_00 -out temps.csv
But get:
bad decrypt 6038:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex: wrong
final block length:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/evp/evp_enc.c:323
How do I decrypt an Amazon Redshift CSV dump?
The Key is stored as metadata and is available in
x-amz-meta-x-amz-key
, and The IV is stored as metadata and is available inx-amz-meta-x-amz-iv
. From the Redshift documentation:When you get the S3 object you will also get these meta-data fields. Here are some example of S3 GET-Object example: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html