Better error messaging when no keyring is found. #152
Comments
resolves aws#152 When attempting to decrypt a set of encrypted data keys, if any attempt is successful, then the entire operation should be considered successful. However if no data key can be obtained, and there were errors, these errors should be visible to the caller. An excellent example is attempting to decrypt with a KMS CMK alias arn. The KMS Keyring will be unable to decrypt, but was returning no error. This resulted the Error 'Unencrypted data key is invalid.' This is because the default CMM sees that the material does not have any unencrypted data key. A better error message would be the one from KMS in this case. Updating with tests both the KMS Keyrings, as well as the MultiKeyring.
resolves #152 When attempting to decrypt a set of encrypted data keys, if any attempt is successful, then the entire operation should be considered successful. However if no data key can be obtained, and there were errors, these errors should be visible to the caller. An excellent example is attempting to decrypt with a KMS CMK alias arn. The KMS Keyring will be unable to decrypt, but was returning no error. This resulted the Error 'Unencrypted data key is invalid.' This is because the default CMM sees that the material does not have any unencrypted data key. A better error message would be the one from KMS in this case. Updating with tests both the KMS Keyrings, as well as the MultiKeyring.
|
I was Googling for this error and ended up here. The message still doesn't tell me how to fix the error or provide a link for me to learn more. |
|
Thanks, that’s a good call out. If you are getting this “Unable to decrypt data key and one or more KMS CMKs had an error.” message in the latest version when trying to decrypt, let's reopen this and figure out what is going on. If you are not using KMS or are trying to build your own keyring can we open a new issue? Please include a description of what you’re calling and the error you’re seeing. |
|
Unfortunately I don't have the code to hand, but as I recall I was using the Node.js AWS SDK. Following along with the decrypt example given here. Although I am a beginner, so might have just been a code error on my part. |
|
@davidyell I opened #305 as a tracker for this generally. |
|
Likewise an example end to end with associated necessary KMS policies would be really handy. I've tried following the example and i'm stuck at the same location as @davidyell. |
|
I was using the same example that followed @davidyell.
|
|
Hi @bardock - yeah i'm using the ARN's not the alias and this error is still being thrown. |
|
@RalphBragg What specific key properties was the issue? @bardock so you were getting this error when using something like I also see that the raw keyrings can leak this error as well |
Yes. This example uses an alias for the generator key, but it works just because it also adds the same CMK as an alternate key. |
|
I think I understand the issue more now. Getting an unencrypted data key, when one is not set is an error, This also is sub-optimal. |
resolves: aws#152, aws#31 linked: awslabs/aws-encryption-sdk-specification#105 If no keyrings attempt to decrypt any encrypted data keys, then the message can not be decrypted. The code attempted to enforce this, by retrieving the unencrypted data key in node. There were two issues here 1. The check ensure the validity of the materials, itself threw an error. 1. Had this check succeeded, the error message `'Unencrypted data key is invalid.’` is not incredibly more helpful than 'unencryptedDataKey has not been set' The error message has been updated, and the tests have been updated to verify _this_ error message. On a related note awslabs/aws-encryption-sdk-specification#97 starts to explore some additional possibilities. The fullness of this issue is not only in failure, but success can also have similar issues.
|
I have seen this error when only one GeneratorKeyId has been used and not additional keys, that I needed for unknown reasons in order to make Given official example code there are two different key concepts given that I am confused about: In order to make
Can someone tell me what is the purpose of each on both keys and why do we need both together? (I was already asking at #951, maybe we can shed some light into this quite undocumented concept) |
Currently if no configured keyring is found to unwrap any of the encrypted data keys,
the CMM will throw an
unencryptedDataKey has not been seterror.While this error is accurate, it is unhelpful.
The text was updated successfully, but these errors were encountered: