Closed
Description
Hi,
I'm trying encryptionsdk with 2 KMS keys from same region. For encrypt I'm using key1 from same region and for decrypt I'm using key2 from same region. The decrypt always works and uses key1. Shouldn't the decrypt operation fail in this case? I'm confused as to why this works like this. See the code below:
import aws_encryption_sdk
key-arn-A = "arn:aws:kms:us-west-2:<account-id>:key/key-id-1"
key-arn-B = "arn:aws:kms:us-west-2:<account-id>:key/key-id-2"
master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider()
master_key_provider.add_master_key(key-arn-A)
# Encrypt the plaintext source data.
ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
source=source_plaintext,
key_provider=master_key_provider
)
print("encryption header is",encryptor_header)
#print('Ciphertext: ', ciphertext)
keyprovider2 = aws_encryption_sdk.KMSMasterKeyProvider()
keyprovider2.add_master_key(key-arn-B)
# Decrypt the ciphertext.
cycled_plaintext, decrypted_header = aws_encryption_sdk.decrypt(
source=ciphertext,
key_provider=keyprovider2
)
print("-------------------------------------------------------")
print("encryption header is",decrypted_header)
Metadata
Metadata
Assignees
Labels
No labels