Decrypting database monitoring events
orenmazor opened this issue · 2 comments
Problem:
Hi there! I'm taking a look at decrypting DAS events from AWS RDS/Kinesis, following this documentation: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Monitoring.html
but it looks like the referenced library code is actually out of date now. I'm not seeing some of that code in this library anymore.
I'm happy to use alternatives, or just straight up python crypto libs, but there's nothing in the docs over how the data key is encrypted.
So I'm reverse engineering this by reading the source of this lib, which isn't the most fun I've had today.
Do you folks have any advice for me for how I can decrypt those blobs? either using this lib or another one?
Hi,
You are correct,
that example is using an older version
of the Encryption SDK.
In the latest versions you need to set a CommitmentPolicy.
In the Java example you linked the line
private static final AwsCrypto CRYPTO = new AwsCrypto();needs to change to
final AwsCrypto crypto = AwsCrypto.builder()
.withCommitmentPolicy(CommitmentPolicy.ForbidEncryptAllowDecrypt)
.build();The way you would set a CommitmentPolicy in Python is like so:
# Instantiate the client
client = EncryptionSDKClient(CommitmentPolicy.ForbidEncryptAllowDecrypt)For more details see:
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/migration.html
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/migrate-commitment-policy.html
thanks for responding @seebees! I'll check this out.
I guess I'm just disappointed that their example requires me to overload things in AWS's own encryption library rather than using one of it's workflows out of the box.
it would make sense if they just gave me the raw algorithm and said "use AESGCM with these settings and you'll be good to go", but they kinda mix and match things. its a bit of a mess :/