Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Google Cloud KMS: Unable to decrypt

Tags:

google-cloud-platform

google-cloud-kms

I'm trying to decrypt a kms encrypted file and running in to the following error:

UnicodeDecodeError: 'utf8' codec can't decode byte 0x80 in position 3: invalid start byte

I'm using the sample decrypt code.

I'm able to decrypt the file using the command line.

The exception is being thrown from here:

cipher_text.decode('utf-8')

Code: https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/kms/api-client/snippets.py

Please let me know if I'm missing something here.

like image 446
Fayaz Ahmed Avatar asked Jan 18 '26 10:01

Fayaz Ahmed

1 Answers

When you use the Python library, all inputs must be base64-encoded, and the outputs will be base64-encoded as well. In the encrypt function in snippets.py, you can see that the code is base64-encoding the plaintext before passing it to the KMS encrypt API.

encoded_text = base64.b64encode(plaintext)

When you use the gcloud kms encrypt command, you do not have to base64 encode the plaintext yourself, and the ciphertext is not base64-encoded.

So, when you pass the ciphertext from gcloud kms encrypt to the Python library to decrypt, you must base64-encode it first. Change the decrypt function in snippets.py to base64-encode the file data before sending it on.

# Read cipher text from the input file.
with io.open(encrypted_file_name, 'rb') as encrypted_file:
    ciphertext = encrypted_file.read()
encoded_text = base64.b64encode(ciphertext)

# Use the KMS API to decrypt the text.
cryptokeys = kms_client.projects().locations().keyRings().cryptoKeys()
request = cryptokeys.decrypt(
    name=name, body={'ciphertext': encoded_text.decode('utf-8')})
response = request.execute()

You can think of the base64-encoding as being a transport-layer implementation detail: it's only necessary so that arbitrary binary data can be sent in JSON, which only accepts Unicode strings. So, the Cloud KMS API requires this data to be base64-encoded, and must base64-encode the output as well. But the gcloud command does this work for you, so you don't have to do it.

I think the Python sample code is misleading. It should always base64-encode inputs to the API and base64-decode outputs, instead of only doing it sometimes. I'll look at updating the Python sample code shortly, and double check the sample code for the other languages.

like image 149
Russ Amos Avatar answered Jan 21 '26 09:01

Russ Amos

Sign in to Comment

Related questions

Cannot find module 'google-cloud/pubsub' when deploying app

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!