SDK Encryption Version
kethireddysudhakar opened this issue · 1 comments
Hello Team,
We have recently upgraded to SDK 2.0 and we are seeing decryption failing and we wanted to check what the is version that the user has used for encryption, is there a way to identify that
Messages do not contain any value signifying the specific AWS Encryption SDK version that originally encrypted the data, but do contain a value indicating the particular message format version the data was originally encrypted under. For example, in AWS Encryption SDK version 1.7 and below, all messages were encrypted according to message format version 1. Starting in the AWS Encryption SDK version 2.0, messages are encrypted in either message format version 1 or 2 depending on whether message commitment is enabled for encryption. Details on the specific message formats are here [1].
You can check the first byte of your encrypted message to see which message format it might have been encrypted under. Please note that I say "might" because since decryption is failing, there isn't a way to guarantee the integrity of this particular value. Regardless, it might still be helpful for debugging your particular issue.
For help migrating to 2.0, please see here [2]. Please note that if you are using the AWS Encryption SDK 2.0 for decrypting, and want to decrypt messages without commitment (messages in format 1) then you need to set your commitment policy to either ForbidEncryptAllowDecrypt or RequireEncryptAllowDecrypt.
[1] https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/message-format.html
[2] https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/migration.html