Certified Security - Specialty

Sign Up Free or Log In to participate!

KMS Decrypt via ssh

if Decrypt key is assigned to role and if user  ssh in to that instance and see the contents of that file It will be seen in clear textis there a way  to allow only instance to see decrypted contents

Gavin Ni

Server side encryption e.g. EBS volume encryption then it’s true. If data encryption before send to storage then you will have to decrypt data before you can see.

2 Answers

Use the EBS service to encrypt your volume with a KMS key using the industry-standard AES-256 algorithm. Your data key is stored on-disk with your encrypted data, but not before EBS encrypts it with your CMK—it never appears there in plaintext. 

The EC2 Role and an API authentication with Access Key & Secret Access Key would allow decryption at CLI on Machine if it had CLI tools installed and the proper commands were issued.  The SSH Key Pair alone would not.   Be careful not to confuse Data plane key pairs (SSH & RDP) with Access Key / Secret Access Key Control Plane keys  for the CLI and SDKs…

Source:  https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

The plain text KMS data key for EBS volume is stored EC2 in hypervisor memory. So it is invisible to users.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?