# AWS Encryption SDK command line interface The AWS Encryption SDK Command Line Interface (AWS Encryption CLI) enables you to use the AWS Encryption SDK to encrypt and decrypt data interactively at the command line and in scripts. You don't need cryptography or programming expertise. **Note** Versions of the AWS Encryption CLI earlier than 4.0.0 are in the [end-of-support phase](https://docs.aws.amazon.com/sdkref/latest/guide/maint-policy.html#version-life-cycle). You can safely update from version 2.1.*x* and later to the latest version of the AWS Encryption CLI without any code or data changes. However, [ new security features](about-versions.md#version-2) introduced in version 2.1.*x* are not backward-compatible. To update from version 1.7.*x* or earlier, you must first update to the latest 1.*x* version of the AWS Encryption CLI. For details, see [Migrating your AWS Encryption SDK](migration.md). New security features were originally released in AWS Encryption CLI versions 1.7.*x* and 2.0.*x*. However, AWS Encryption CLI version 1.8.*x* replaces version 1.7.*x* and AWS Encryption CLI 2.1.*x* replaces 2.0.*x*. For details, see the relevant [security advisory](https://github.com/aws/aws-encryption-sdk-cli/security/advisories/GHSA-2xwp-m7mq-7q3r) in the [aws-encryption-sdk-cli](https://github.com/aws/aws-encryption-sdk-cli/) repository on GitHub. Like all implementations of the AWS Encryption SDK, the AWS Encryption CLI offers advanced data protection features. These include [envelope encryption](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/how-it-works.html#envelope-encryption), additional authenticated data (AAD), and secure, authenticated, symmetric key [algorithm suites](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/supported-algorithms.html), such as 256-bit AES-GCM with key derivation, [key commitment](concepts.md#key-commitment), and signing. The AWS Encryption CLI is built on the [AWS Encryption SDK for Python](python.md) and is supported on Linux, macOS, and Windows. You can run commands and scripts to encrypt and decrypt your data in your preferred shell on Linux or macOS, in a Command Prompt window (cmd.exe) on Windows, and in a PowerShell console on any system. All language-specific implementations of the AWS Encryption SDK, including the AWS Encryption CLI, are interoperable. For example, you can encrypt data with the [AWS Encryption SDK for Java](java.md) and decrypt it with the AWS Encryption CLI. This topic introduces the AWS Encryption CLI, explains how to install and use it, and provides several examples to help you get started. For a quick start, see [How to Encrypt and Decrypt Your Data with the AWS Encryption CLI](https://aws.amazon.com/blogs/security/how-to-encrypt-and-decrypt-your-data-with-the-aws-encryption-cli/) in the AWS Security Blog. For more detailed information, see [Read The Docs](https://aws-encryption-sdk-cli.readthedocs.io/en/latest/), and join us in developing the AWS Encryption CLI in the [aws-encryption-sdk-cli](https://github.com/aws/aws-encryption-sdk-cli/) repository on GitHub. **Performance** The AWS Encryption CLI is built on the AWS Encryption SDK for Python. Each time you run the CLI, you start a new instance of the Python runtime. To improve performance, whenever possible, use a single command instead of a series of independent commands. For example, run one command that processes the files in a directory recursively instead of running separate commands for each file. **Topics** + [Installing the CLI](crypto-cli-install.md) + [How to use the CLI](crypto-cli-how-to.md) + [Examples](crypto-cli-examples.md) + [Syntax and parameter reference](crypto-cli-reference.md) + [Versions](crypto-cli-versions.md) # Installing the AWS Encryption SDK command line interface This topic explains how to install the AWS Encryption CLI. For detailed information, see the [aws-encryption-sdk-cli](https://github.com/aws/aws-encryption-sdk-cli/) repository on GitHub and [Read the Docs](https://aws-encryption-sdk-cli.readthedocs.io/en/latest/). **Topics** + [ ## Installing the prerequisites ](#crypto-cli-prerequisites) + [Installing the CLI](#install-sdk-cli) ## Installing the prerequisites The AWS Encryption CLI is built on the AWS Encryption SDK for Python. To install the AWS Encryption CLI, you need Python and `pip`, the Python package management tool. Python and `pip` are available on all supported platforms. Install the following prerequisites before you install the AWS Encryption CLI, **Python** Python 3.8 or later is required by the AWS Encryption CLI versions 4.2.0 and later. Earlier versions of the AWS Encryption CLI support Python 2.7 and 3.4 and later, but we recommend that you use the latest version of the AWS Encryption CLI. Python is included in most Linux and macOS installations, but you need to upgrade to Python 3.6 or later. We recommend that you use the latest version of Python. On Windows, you have to install Python; it is not installed by default. To download and install Python, see [Python downloads](https://www.python.org/downloads/). To determine whether Python is installed, at the command line, type the following. ``` python ``` To check the Python version, use the `-V` (uppercase V) parameter. ``` python -V ``` On Windows, after you install Python, add the path to the `Python.exe` file to the value of the **Path** environment variable. By default, Python is installed in the all users directory or in a user profile directory (`$home` or `%userprofile%`) in the `AppData\Local\Programs\Python` subdirectory. To find the location of the `Python.exe` file on your system, check one of the following registry keys. You can use PowerShell to search the registry. ``` PS C:\> dir HKLM:\Software\Python\PythonCore\version\InstallPath # -or- PS C:\> dir HKCU:\Software\Python\PythonCore\version\InstallPath ``` **pip** `pip` is the Python package manager. To install the AWS Encryption CLI and its dependencies, you need `pip` 8.1 or later. For help installing or upgrading `pip`, see [Installation](https://pip.pypa.io/en/latest/installing/) in the `pip` documentation. On Linux installations, versions of `pip` earlier than 8.1 can't build the **cryptography** library that the AWS Encryption CLI requires. If you choose not to update your `pip` version, you can install the build tools separately. For more information, see [Building cryptography on Linux](https://cryptography.io/en/latest/installation.html#building-cryptography-on-linux). **AWS Command Line Interface** The AWS Command Line Interface (AWS CLI) is required only if you are using AWS KMS keys in AWS Key Management Service (AWS KMS) with the AWS Encryption CLI. If you are using a different [master key provider](concepts.md#master-key-provider), the AWS CLI is not required. To use AWS KMS keys with the AWS Encryption CLI, you need to [install](https://docs.aws.amazon.com/cli/latest/userguide/installing.html) and [configure ](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-quick-configuration) the AWS CLI. The configuration makes the credentials that you use to authenticate to AWS KMS available to the AWS Encryption CLI. ## Installing and updating the AWS Encryption CLI Install the latest version of the AWS Encryption CLI. When you use `pip` to install the AWS Encryption CLI, it automatically installs the libraries that the CLI needs, including the [AWS Encryption SDK for Python](python.md), the Python [cryptography library](https://cryptography.io/en/latest/), and the [AWS SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html). **Note** Versions of the AWS Encryption CLI earlier than 4.0.0 are in the [end-of-support phase](https://docs.aws.amazon.com/sdkref/latest/guide/maint-policy.html#version-life-cycle). You can safely update from version 2.1.*x* and later to the latest version of the AWS Encryption CLI without any code or data changes. However, [ new security features](about-versions.md#version-2) introduced in version 2.1.*x* are not backward-compatible. To update from version 1.7.*x* or earlier, you must first update to the latest 1.*x* version of the AWS Encryption CLI. For details, see [Migrating your AWS Encryption SDK](migration.md). New security features were originally released in AWS Encryption CLI versions 1.7.*x* and 2.0.*x*. However, AWS Encryption CLI version 1.8.*x* replaces version 1.7.*x* and AWS Encryption CLI 2.1.*x* replaces 2.0.*x*. For details, see the relevant [security advisory](https://github.com/aws/aws-encryption-sdk-cli/security/advisories/GHSA-2xwp-m7mq-7q3r) in the [aws-encryption-sdk-cli](https://github.com/aws/aws-encryption-sdk-cli/) repository on GitHub. **To install the latest version of the AWS Encryption CLI** ``` pip install aws-encryption-sdk-cli ``` **To upgrade to the latest version of the AWS Encryption CLI** ``` pip install --upgrade aws-encryption-sdk-cli ``` **To find the version numbers of your AWS Encryption CLI and AWS Encryption SDK** ``` aws-encryption-cli --version ``` The output lists the version numbers of both libraries. ``` aws-encryption-sdk-cli/2.1.0 aws-encryption-sdk/2.0.0 ``` **To upgrade to the latest version of the AWS Encryption CLI** ``` pip install --upgrade aws-encryption-sdk-cli ``` Installing the AWS Encryption CLI also installs the latest version of the AWS SDK for Python (Boto3), if it's not already installed. If Boto3 is installed, the installer verifies the Boto3 version and updates it if required. **To find your installed version of Boto3** ``` pip show boto3 ``` **To update to the latest version of Boto3** ``` pip install --upgrade boto3 ``` To install the version of the AWS Encryption CLI currently in development, see the [aws-encryption-sdk-cli](https://github.com/aws/aws-encryption-sdk-cli/) repository on GitHub. For more details about using `pip` to install and upgrade Python packages, see the [pip documentation](https://pip.pypa.io/en/stable/quickstart/). # How to use the AWS Encryption CLI This topic explains how to use the parameters in the AWS Encryption CLI. For examples, see [Examples of the AWS Encryption CLI](crypto-cli-examples.md). For complete documentation, see [Read the Docs](https://aws-encryption-sdk-cli.readthedocs.io/en/latest/). The syntax shown in these examples is for AWS Encryption CLI version 2.1.*x* and later. **Note** Versions of the AWS Encryption CLI earlier than 4.0.0 are in the [end-of-support phase](https://docs.aws.amazon.com/sdkref/latest/guide/maint-policy.html#version-life-cycle). You can safely update from version 2.1.*x* and later to the latest version of the AWS Encryption CLI without any code or data changes. However, [ new security features](about-versions.md#version-2) introduced in version 2.1.*x* are not backward-compatible. To update from version 1.7.*x* or earlier, you must first update to the latest 1.*x* version of the AWS Encryption CLI. For details, see [Migrating your AWS Encryption SDK](migration.md). New security features were originally released in AWS Encryption CLI versions 1.7.*x* and 2.0.*x*. However, AWS Encryption CLI version 1.8.*x* replaces version 1.7.*x* and AWS Encryption CLI 2.1.*x* replaces 2.0.*x*. For details, see the relevant [security advisory](https://github.com/aws/aws-encryption-sdk-cli/security/advisories/GHSA-2xwp-m7mq-7q3r) in the [aws-encryption-sdk-cli](https://github.com/aws/aws-encryption-sdk-cli/) repository on GitHub. For an example showing how to use the security feature that limits encrypted data keys, see [Limiting encrypted data keys](configure.md#config-limit-keys). For an example showing how to use AWS KMS multi-Region keys, see [Using multi-Region AWS KMS keys](configure.md#config-mrks). **Topics** + [ ## How to encrypt and decrypt data ](#crypto-cli-e-d-intro) + [ ## How to specify wrapping keys ](#crypto-cli-master-key) + [ ## How to provide input ](#crypto-cli-input) + [ ## How to specify the output location ](#crypto-cli-output) + [ ## How to use an encryption context ](#crypto-cli-encryption-context) + [ ## How to specify a commitment policy ](#crypto-cli-commitment-policy) + [ ## How to store parameters in a configuration file ](#crypto-cli-config-file) ## How to encrypt and decrypt data The AWS Encryption CLI uses the features of the AWS Encryption SDK to make it easy to encrypt and decrypt data securely. **Note** The `--master-keys` parameter is deprecated in version 1.8.*x* of the AWS Encryption CLI and removed in version 2.1.*x*. Instead, use the `--wrapping-keys` parameter. Beginning in version 2.1.*x*, the `--wrapping-keys` parameter is required when encrypting and decrypting. For details, see [AWS Encryption SDK CLI syntax and parameter reference](crypto-cli-reference.md). + When you encrypt data in the AWS Encryption CLI, you specify your plaintext data and a [wrapping key](concepts.md#master-key) (or *master key*), such as an AWS KMS key in AWS Key Management Service (AWS KMS). If you are using a custom master key provider, you also need to specify the provider. You also specify output locations for the [encrypted message](concepts.md#message) and for metadata about the encryption operation. An [encryption context](concepts.md#encryption-context) is optional, but recommended. In version 1.8.*x*, the `--commitment-policy` parameter is required when you use the `--wrapping-keys` parameter; otherwise it's not valid. Beginning in version 2.1.*x*, the `--commitment-policy` parameter is optional, but recommended. ``` aws-encryption-cli --encrypt --input myPlaintextData \ --wrapping-keys key=1234abcd-12ab-34cd-56ef-1234567890ab \ --output myEncryptedMessage \ --metadata-output ~/metadata \ --encryption-context purpose=test \ --commitment-policy require-encrypt-require-decrypt ``` The AWS Encryption CLI encrypts your data under a unique data key. Then it encrypts the data key under the wrapping keys you specify. It returns an [encrypted message](concepts.md#message) and metadata about the operation. The encrypted message contains your encrypted data (*ciphertext*) and an encrypted copy of the data key. You don't have to worry about storing, managing, or losing the data key.   + When you decrypt data, you pass in your encrypted message, the optional encryption context, and location for the plaintext output and the metadata. You also specify the wrapping keys that the AWS Encryption CLI can use to decrypt the message, or tell the AWS Encryption CLI it can use any wrapping keys that encrypted the message. Beginning in version 1.8.*x*, the `--wrapping-keys` parameter is optional when decrypting, but recommended. Beginning in version 2.1.*x*, the `--wrapping-keys` parameter is required when encrypting and decrypting. When decrypting, you can use the **key** attribute of the `--wrapping-keys` parameter to specify the wrapping keys that decrypt your data. Specifying an AWS KMS wrapping key when decrypting is optional, but it's a [best practice](best-practices.md) that prevents you from using a key you didn't intend to use. If you're using a custom master key provider, you must specify the provider and wrapping key. If you don't use the **key** attribute, you must set the [**discovery** attribute](#discovery-cli-attribute) of the `--wrapping-keys` parameter to `true`, which lets the AWS Encryption CLI decrypt using any wrapping key that encrypted the message. As a best practice, use the `--max-encrypted-data-keys` parameter to avoid decrypting a malformed message with an excessive number of encrypted data keys. Specify the expected number of encrypted data keys (one for each wrapping key used in encryption) or a reasonable maximum (such as 5). For details, see [Limiting encrypted data keys](configure.md#config-limit-keys). The `--buffer` parameter returns plaintext only after all input is processed, including verifying the digital signature if one is present. The `--decrypt-unsigned` parameter decrypts ciphertext and ensures that messages are unsigned before decryption. Use this parameter if you used the `--algorithm` parameter and selected an algorithm suite without digital signing to encrypt data. If the ciphertext is signed, decryption fails. You can use `--decrypt` or `--decrypt-unsigned` for decryption but not both. ``` aws-encryption-cli --decrypt --input myEncryptedMessage \ --wrapping-keys key=1234abcd-12ab-34cd-56ef-1234567890ab \ --output myPlaintextData \ --metadata-output ~/metadata \ --max-encrypted-data-keys 1 \ --buffer \ --encryption-context purpose=test \ --commitment-policy require-encrypt-require-decrypt ``` The AWS Encryption CLI uses the wrapping key to decrypt the data key in the encrypted message. Then it uses the data key to decrypt your data. It returns your plaintext data and metadata about the operation. ## How to specify wrapping keys When you encrypt data in the AWS Encryption CLI, you need to specify at least one [wrapping key](concepts.md#master-key) (or *master key*). You can use AWS KMS keys in AWS Key Management Service (AWS KMS), wrapping keys from a custom [master key provider](concepts.md#master-key-provider), or both. The custom master key provider can be any compatible Python master key provider. To specify wrapping keys in versions 1.8.*x* and later, use the `--wrapping-keys` parameter (`-w`). The value of this parameter is a collection of [attributes](#cli-master-key-attributes) with the `attribute=value` format. The attributes that you use depend on the master key provider and the command. + **AWS KMS**. In encrypt commands, you must specify a `--wrapping-keys` parameter with a **key** attribute. Beginning in version 2.1.*x*, the `--wrapping-keys` parameter is also required in decrypt commands. When decrypting, the `--wrapping-keys` parameter must have a **key** attribute or a **discovery** attribute with a value of `true` (but not both). Other attributes are optional. + **Custom master key provider**. You must specify a `--wrapping-keys` parameter in every command. The parameter value must have **key** and **provider** attributes. You can include [multiple `--wrapping-keys` parameters](#cli-many-cmks) and multiple **key** attributes in the same command. ### Wrapping key parameter attributes The value of the `--wrapping-keys` parameter consists of the following attributes and their values. A `--wrapping-keys` parameter (or `--master-keys` parameter) is required in all encrypt commands. Beginning in version 2.1.*x*, the `--wrapping-keys` parameter is also required when decrypting. If an attribute name or value includes spaces or special characters, enclose both the name and value in quotation marks. For example, `--wrapping-keys key=12345 "provider=my cool provider"`. **Key: Specify a wrapping key** Use the **key** attribute to identify a wrapping key. When encrypting, the value can be any key identifier that the master key provider recognizes. ``` --wrapping-keys key=1234abcd-12ab-34cd-56ef-1234567890ab ``` In an encrypt command, you must include at least one **key** attribute and value. To encrypt your data key under multiple wrapping keys, use [multiple **key** attributes](#cli-many-cmks). ``` aws-encryption-cli --encrypt --wrapping-keys key=1234abcd-12ab-34cd-56ef-1234567890ab key=1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d ``` In encrypt commands that use AWS KMS keys, the value of **key** can be the key ID, its key ARN, an alias name, or alias ARN. For example, this encrypt command uses an alias ARN in the value of the **key** attribute. For details about the key identifiers for an AWS KMS key, see [Key Identifiers](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide*. ``` aws-encryption-cli --encrypt --wrapping-keys key=arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias ``` In decrypt commands that use a custom master key provider, **key** and **provider** attributes are required. ``` \\ Custom master key provider aws-encryption-cli --decrypt --wrapping-keys provider='myProvider' key='100101' ``` In decrypt commands that use AWS KMS, you can use the **key** attribute to specify the AWS KMS keys to use for decrypting, or the [**discovery** attribute](#discovery-cli-attribute) with a value of `true`, which lets the AWS Encryption CLI use any AWS KMS key that was used to encrypt the message. If you specify an AWS KMS key, it must be one of the wrapping keys used to encrypt the message. Specifying the wrapping key is an [AWS Encryption SDK best practice](best-practices.md). It assures that you use the AWS KMS key you intend to use. In a decrypt command, the value of the **key** attribute must be a [key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN). ``` \\ AWS KMS key aws-encryption-cli --decrypt --wrapping-keys key=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab ``` **Discovery: Use any AWS KMS key when decrypting** If you don't need to limit the AWS KMS keys to use when decrypting, you can use the **discovery** attribute with a value of `true`. A value of `true` allows the AWS Encryption CLI to decrypt using any AWS KMS key that encrypted the message. If you don't specify a **discovery** attribute, discovery is `false` (default). The **discovery** attribute is valid only in decrypt commands and only when the message was encrypted with AWS KMS keys. The **discovery** attribute with a value of `true` is an alternative to using the **key** attribute to specify AWS KMS keys. When decrypting a message encrypted with AWS KMS keys, each `--wrapping-keys` parameter must have a **key** attribute or a **discovery** attribute with a value of `true`, but not both. When discovery is true, it's a best practice to use the **discovery-partition** and **discovery-account** attributes to limit the AWS KMS keys used to those in the AWS accounts you specify. In the following example, the **discovery** attributes allow the AWS Encryption CLI to use any AWS KMS key in the specified AWS accounts. ``` aws-encryption-cli --decrypt --wrapping-keys \ discovery=true \ discovery-partition=aws \ discovery-account=111122223333 \ discovery-account=444455556666 ``` **Provider: Specify the master key provider** The **provider** attribute identifies the [master key provider](concepts.md#master-key-provider). The default value is `aws-kms`, which represents AWS KMS. If you are using a different master key provider, the **provider** attribute is required. ``` --wrapping-keys key=12345 provider=my_custom_provider ``` For more information about using custom (non-AWS KMS) master key providers, see the **Advanced Configuration** topic in the [README](https://github.com/aws/aws-encryption-sdk-cli/blob/master/README.rst) file for the [AWS Encryption CLI](https://github.com/aws/aws-encryption-sdk-cli/) repository. **Region: Specify an AWS Region** Use the **region** attribute to specify the AWS Region of an AWS KMS key. This attribute is valid only in encrypt commands and only when the master key provider is AWS KMS. ``` --encrypt --wrapping-keys key=alias/primary-key region=us-east-2 ``` AWS Encryption CLI commands use the AWS Region that is specified in the **key** attribute value if it includes a region, such as an ARN. if the **key** value specifies a AWS Region, the **region** attribute is ignored. The **region** attribute takes precedence over other region specifications. If you don't use a region attribute, AWS Encryption CLI commands uses the AWS Region specified in your AWS CLI [named profile](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles), if any, or your default profile. **Profile: Specify a named profile** Use the **profile** attribute to specify an AWS CLI [named profile](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles). Named profiles can include credentials and an AWS Region. This attribute is valid only when the master key provider is AWS KMS. ``` --wrapping-keys key=alias/primary-key profile=admin-1 ``` You can use the **profile** attribute to specify alternate credentials in encrypt and decrypt commands. In an encrypt command, the AWS Encryption CLI uses the AWS Region in the named profile only when the **key** value does not include a region and there is no **region** attribute. In a decrypt command, the AWS Region in the name profile is ignored. ### How to specify multiple wrapping keys You can specify multiple wrapping keys (or *master keys*) in each command. If you specify more than one wrapping key, the first wrapping key generates and encrypts the data key that is used to encrypt your data. The other wrapping keys encrypt the same data key. The resulting [encrypted message](concepts.md#message) contains the encrypted data ("ciphertext") and a collection of encrypted data keys, one encrypted by each wrapping key. Any of the wrapping can decrypt one encrypted data key and then decrypt the data. There are two ways to specify multiple wrapping keys: + Include multiple **key** attributes in the `--wrapping-keys` parameter value. ``` $key_oregon=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab $key_ohio=arn:aws:kms:us-east-2:111122223333:key/0987ab65-43cd-21ef-09ab-87654321cdef --wrapping-keys key=$key_oregon key=$key_ohio ``` + Include multiple `--wrapping-keys` parameters in the same command. Use this syntax when the attribute values that you specify do not apply to all of the wrapping keys in the command. ``` --wrapping-keys region=us-east-2 key=alias/test_key \ --wrapping-keys region=us-west-1 key=alias/test_key ``` The **discovery** attribute with a value of `true` lets the AWS Encryption CLI use any AWS KMS key that encrypted the message. If you use multiple `--wrapping-keys` parameters in the same command, using `discovery=true` in any `--wrapping-keys` parameter effectively overrides the limits of the **key** attribute in other `--wrapping-keys` parameters. For example, in the following command, the **key** attribute in the first `--wrapping-keys` parameter limits the AWS Encryption CLI to the specified AWS KMS key. However, the **discovery** attribute in the second `--wrapping-keys` parameter lets the AWS Encryption CLI use any AWS KMS key in the specified accounts to decrypt the message. ``` aws-encryption-cli --decrypt \ --wrapping-keys key=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab \ --wrapping-keys discovery=true \ discovery-partition=aws \ discovery-account=111122223333 \ discovery-account=444455556666 ``` ## How to provide input The encrypt operation in the AWS Encryption CLI takes plaintext data as input and returns an [encrypted message](concepts.md#message). The decrypt operation takes an encrypted message as input and returns plaintext data. The `--input` parameter (`-i`) , which tells the AWS Encryption CLI where to find the input, is required in all AWS Encryption CLI commands. You can provide input in any of the following ways: + Use a file. ``` --input myData.txt ``` + Use a file name pattern. ``` --input testdir/*.xml ``` + Use a directory or directory name pattern. When the input is a directory, the `--recursive` parameter (`-r`, `-R`) is required. ``` --input testdir --recursive ``` + Pipe input to the command (stdin). Use a value of `-` for the `--input` parameter. (The `--input` parameter is always required.) ``` echo 'Hello World' | aws-encryption-cli --encrypt --input - ``` ## How to specify the output location The `--output` parameter tells the AWS Encryption CLI where to write the results of the encryption or decryption operation. It is required in every AWS Encryption CLI command. The AWS Encryption CLI creates a new output file for every input file in the operation. If an output file already exists, by default, the AWS Encryption CLI prints a warning, then overwrites the file. To prevent overwriting, use the `--interactive` parameter, which prompts you for confirmation before overwriting, or `--no-overwrite`, which skips the input if the output would cause an overwrite. To suppress the overwrite warning, use `--quiet`. To capture errors and warnings from the AWS Encryption CLI, use the `2>&1` redirection operator to write them to the output stream. **Note** Commands that overwrite output files begin by deleting the output file. If the command fails, the output file might already be deleted. You can the output location in several ways. + Specify a file name. If you specify a path to the file, all directories in the path must exist before the command runs. ``` --output myEncryptedData.txt ``` + Specify a directory. The output directory must exist before the command runs. If the input contains subdirectories, the command reproduces the subdirectories under the specified directory. ``` --output Test ``` When the output location is a directory (without file names), the AWS Encryption CLI creates output file names based on the input file names plus a suffix. Encrypt operations append `.encrypted` to the input file name and the decrypt operations append `.decrypted`. To change the suffix, use the `--suffix` parameter. For example, if you encrypt `file.txt`, the encrypt command creates `file.txt.encrypted`. If you decrypt `file.txt.encrypted`, the decrypt command creates `file.txt.encrypted.decrypted`.   + Write to the command line (stdout). Enter a value of `-` for the `--output` parameter. You can use `--output -` to pipe output to another command or program. ``` --output - ``` ## How to use an encryption context The AWS Encryption CLI lets you provide an encryption context in encrypt and decrypt commands. It is not required, but it is a cryptographic best practice that we recommend. An *encryption context* is a type of arbitrary, non-secret *additional authenticated data*. In the AWS Encryption CLI, the encryption context consists of a collection of `name=value` pairs. You can use any content in the pairs, including information about the files, data that helps you to find the encryption operation in logs, or data that your grants or policies require. **In an encrypt command** The encryption context that you specify in an encrypt command, along with any additional pairs that the [CMM](concepts.md#crypt-materials-manager) adds, is cryptographically bound to the encrypted data. It is also included (in plaintext) in the [encrypted message](concepts.md#encryption-context) that the command returns. If you are using an AWS KMS key, the encryption context also might appear in plaintext in audit records and logs, such as AWS CloudTrail. The following example shows an encryption context with three `name=value` pairs. ``` --encryption-context purpose=test dept=IT class=confidential ``` **In a decrypt command** In a decrypt command, the encryption context helps you to confirm that you are decrypting the right encrypted message. You are not required to provide an encryption context in a decrypt command, even if an encryption context was used on encrypt. However, if you do, the AWS Encryption CLI verifies that every element in the encryption context of the decrypt command matches an element in the encryption context of the encrypted message. If any element does not match, the decrypt command fails. For example, the following command decrypts the encrypted message only if its encryption context includes `dept=IT`. ``` aws-encryption-cli --decrypt --encryption-context dept=IT ... ``` An encryption context is an important part of your security strategy. However, when choosing an encryption context, remember that its values are not secret. Do not include any confidential data in the encryption context. **To specify an encryption context** + In an **encrypt** command, use the `--encryption-context` parameter with one or more `name=value` pairs. Use a space to separate each pair. ``` --encryption-context name=value [name=value] ... ``` + In a **decrypt** command, the `--encryption-context` parameter value can include `name=value` pairs, `name` elements (with no values), or a combination of both. ``` --encryption-context name[=value] [name] [name=value] ... ``` If the `name` or `value` in a `name=value` pair includes spaces or special characters, enclose the entire pair in quotation marks. ``` --encryption-context "department=software engineering" "AWS Region=us-west-2" ``` For example, this encrypt command includes an encryption context with two pairs, `purpose=test` and `dept=23`. ``` aws-encryption-cli --encrypt --encryption-context purpose=test dept=23 ... ``` These decrypt command would succeed. The encryption context in each commands is a subset of the original encryption context. ``` \\ Any one or both of the encryption context pairs aws-encryption-cli --decrypt --encryption-context dept=23 ... \\ Any one or both of the encryption context names aws-encryption-cli --decrypt --encryption-context purpose ... \\ Any combination of names and pairs aws-encryption-cli --decrypt --encryption-context dept purpose=test ... ``` However, these decrypt commands would fail. The encryption context in the encrypted message does not contain the specified elements. ``` aws-encryption-cli --decrypt --encryption-context dept=Finance ... aws-encryption-cli --decrypt --encryption-context scope ... ``` ## How to specify a commitment policy To set the [commitment policy](concepts.md#commitment-policy) for the command, use the [`--commitment-policy` parameter](crypto-cli-reference.md#syntax-commitment-policy). This parameter is introduced in version 1.8.*x*. It is valid in encrypt and decrypt commands. The commitment policy you set is valid only for the command in which it appears. If you do not set a commitment policy for a command, the AWS Encryption CLI uses the default value. For example, the following parameter value sets the commitment policy to `require-encrypt-allow-decrypt`, which always encrypts with key commitment, but will decrypt a ciphertext that was encrypted with or without key commitment. ``` --commitment-policy require-encrypt-allow-decrypt ``` ## How to store parameters in a configuration file You can save time and avoid typing errors by saving frequently used AWS Encryption CLI parameters and values in configuration files. A *configuration file* is a text file that contains parameters and values for an AWS Encryption CLI command. When you refer to a configuration file in a AWS Encryption CLI command, the reference is replaced by the parameters and values in the configuration file. The effect is the same is if you typed the file content at the command line. A configuration file can have any name and it can be located in any directory that the current user can access. The following example configuration file, `key.conf`, specifies two AWS KMS keys in different Regions. ``` --wrapping-keys key=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab --wrapping-keys key=arn:aws:kms:us-east-2:111122223333:key/0987ab65-43cd-21ef-09ab-87654321cdef ``` To use the configuration file in a command, prefix the file name with an at sign (`@`). In a PowerShell console, use a backtick character to escape the at sign (``@`). This example command uses the `key.conf` file in an encrypt command. ------ #### [ Bash ] ``` $ aws-encryption-cli -e @key.conf -i hello.txt -o testdir ``` ------ #### [ PowerShell ] ``` PS C:\> aws-encryption-cli -e `@key.conf -i .\Hello.txt -o .\TestDir ``` ------ **Configuration file rules** The rules for using configuration files are as follows: + You can include multiple parameters in each configuration file and list them in any order. List each parameter with its values (if any) on a separate line. + Use `#` to add a comment to all or part of a line. + You can include references to other configuration files. Do not use a backtick to escape the `@` sign, even in PowerShell. + If you use quotes in a configuration file, the quoted text cannot span multiple lines. For example, this is the contents of an example `encrypt.conf` file. ``` # Archive Files --encrypt --output /archive/logs --recursive --interactive --encryption-context class=unclassified dept=IT --suffix # No suffix --metadata-output ~/metadata @caching.conf # Use limited caching ``` You can also include multiple configuration files in a command. This example command uses both the `encrypt.conf` and `master-keys.conf` configurations files. ------ #### [ Bash ] ``` $ aws-encryption-cli -i /usr/logs @encrypt.conf @master-keys.conf ``` ------ #### [ PowerShell ] ``` PS C:\> aws-encryption-cli -i $home\Test\*.log `@encrypt.conf `@master-keys.conf ``` ------ **Next: **[Try the AWS Encryption CLI examples](crypto-cli-examples.md) # Examples of the AWS Encryption CLI Use the following examples to try the AWS Encryption CLI on the platform you prefer. For help with master keys and other parameters, see [How to use the AWS Encryption CLI](crypto-cli-how-to.md). For a quick reference, see [AWS Encryption SDK CLI syntax and parameter reference](crypto-cli-reference.md). **Note** The following examples use the syntax for AWS Encryption CLI version 2.1.*x*. New security features were originally released in AWS Encryption CLI versions 1.7.*x* and 2.0.*x*. However, AWS Encryption CLI version 1.8.*x* replaces version 1.7.*x* and AWS Encryption CLI 2.1.*x* replaces 2.0.*x*. For details, see the relevant [security advisory](https://github.com/aws/aws-encryption-sdk-cli/security/advisories/GHSA-2xwp-m7mq-7q3r) in the [aws-encryption-sdk-cli](https://github.com/aws/aws-encryption-sdk-cli/) repository on GitHub. For an example showing how to use the security feature that limits encrypted data keys, see [Limiting encrypted data keys](configure.md#config-limit-keys). For an example showing how to use AWS KMS multi-Region keys, see [Using multi-Region AWS KMS keys](configure.md#config-mrks). **Topics** + [ ## Encrypting a file ](#cli-example-encrypt-file) + [ ## Decrypting a file ](#cli-example-decrypt-file) + [ ## Encrypting all files in a directory ](#cli-example-encrypt-directory) + [ ## Decrypting all files in a directory ](#cli-example-decrypt-directory) + [ ## Encrypting and decrypting on the command line ](#cli-example-stdin) + [ ## Using multiple master keys ](#cli-example-multimaster) + [ ## Encrypting and decrypting in scripts ](#cli-example-script) + [ ## Using data key caching ](#cli-example-caching) ## Encrypting a file This example uses the AWS Encryption CLI to encrypt the contents of the `hello.txt` file, which contains a "Hello World" string. When you run an encrypt command on a file, the AWS Encryption CLI gets the contents of the file, generates a unique [data key](concepts.md#DEK), encrypts the file contents under the data key, and then writes the [encrypted message](concepts.md#message) to a new file. The first command saves the key ARN of an AWS KMS key in the `$keyArn` variable. When encrypting with an AWS KMS key, you can identify it by using a key ID, key ARN, alias name, or alias ARN. For details about the key identifiers for an AWS KMS key, see [Key Identifiers](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide*. The second command encrypts the file contents. The command uses the `--encrypt` parameter to specify the operation and the `--input` parameter to indicate the file to encrypt. The [`--wrapping-keys` parameter](crypto-cli-how-to.md#crypto-cli-master-key), and its required **key** attribute, tell the command to use the AWS KMS key represented by the key ARN. The command uses the `--metadata-output` parameter to specify a text file for the metadata about the encryption operation. As a best practice, the command uses the `--encryption-context` parameter to specify an [encryption context](crypto-cli-how-to.md#crypto-cli-encryption-context). This command also uses the [`--commitment-policy` parameter](crypto-cli-reference.md#syntax-commitment-policy) to set the commitment policy explicitly. In version 1.8.*x*, this parameter is required when you use the `--wrapping-keys` parameter. Beginning in version 2.1.*x*, the `--commitment-policy` parameter is optional, but recommended. The value of the `--output` parameter, a dot (.), tells the command to write the output file to the current directory. ------ #### [ Bash ] ``` \\ To run this example, replace the fictitious key ARN with a valid value. $ keyArn=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab $ aws-encryption-cli --encrypt \ --input hello.txt \ --wrapping-keys key=$keyArn \ --metadata-output ~/metadata \ --encryption-context purpose=test \ --commitment-policy require-encrypt-require-decrypt \ --output . ``` ------ #### [ PowerShell ] ``` # To run this example, replace the fictitious key ARN with a valid value. PS C:\> $keyArn = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' PS C:\> aws-encryption-cli --encrypt ` --input Hello.txt ` --wrapping-keys key=$keyArn ` --metadata-output $home\Metadata.txt ` --commitment-policy require-encrypt-require-decrypt ` --encryption-context purpose=test ` --output . ``` ------ When the encrypt command succeeds, it does not return any output. To determine whether the command succeeded, check the Boolean value in the `$?` variable. When the command succeeds, the value of `$?` is `0` (Bash) or `True` (PowerShell). When the command fails, the value of `$?` is non-zero (Bash) or `False` (PowerShell). ------ #### [ Bash ] ``` $ echo $? 0 ``` ------ #### [ PowerShell ] ``` PS C:\> $? True ``` ------ You can also use a directory listing command to see that the encrypt command created a new file, `hello.txt.encrypted`. Because the encrypt command did not specify a file name for the output, the AWS Encryption CLI wrote the output to a file with the same name as the input file plus a `.encrypted` suffix. To use a different suffix, or suppress the suffix, use the `--suffix` parameter. The `hello.txt.encrypted` file contains an [encrypted message](concepts.md#message) that includes the ciphertext of the `hello.txt` file, an encrypted copy of the data key, and additional metadata, including the encryption context. ------ #### [ Bash ] ``` $ ls hello.txt hello.txt.encrypted ``` ------ #### [ PowerShell ] ``` PS C:\> dir Directory: C:\TestCLI Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/15/2017 5:57 PM 11 Hello.txt -a---- 9/17/2017 1:06 PM 585 Hello.txt.encrypted ``` ------ ## Decrypting a file This example uses the AWS Encryption CLI to decrypt the contents of the `Hello.txt.encrypted` file that was encrypted in the previous example. The decrypt command uses the `--decrypt` parameter to indicate the operation and `--input` parameter to identify the file to decrypt. The value of the `--output` parameter is a dot that represents the current directory. The `--wrapping-keys` parameter with a **key** attribute specifies the wrapping key used to decrypt the encrypted message. In decrypt commands with AWS KMS keys, the value of the key attribute must be a [key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN). The `--wrapping-keys` parameter is required in a decrypt command. If you are using AWS KMS keys, you can use the **key** attribute to specify AWS KMS keys for decrypting or the **discovery** attribute with a value of `true` (but not both). If you are using a custom master key provider, the **key** and **provider** attributes are required. The [`--commitment-policy` parameter](crypto-cli-reference.md#syntax-commitment-policy) is optional beginning in version 2.1.*x*, but it is recommended. Using it explicitly makes your intent clear, even if you specify the default value, `require-encrypt-require-decrypt`. The `--encryption-context` parameter is optional in the decrypt command, even when an [encryption context](crypto-cli-how-to.md#crypto-cli-encryption-context) is provided in the encrypt command. In this case, the decrypt command uses the same encryption context that was provided in the encrypt command. Before decrypting, the AWS Encryption CLI verifies that the encryption context in the encrypted message includes a `purpose=test` pair. If it does not, the decrypt command fails. The `--metadata-output` parameter specifies a file for metadata about the decryption operation. The value of the `--output` parameter, a dot (.), writes the output file to the current directory. As a best practice, use the `--max-encrypted-data-keys` parameter to avoid decrypting a malformed message with an excessive number of encrypted data keys. Specify the expected number of encrypted data keys (one for each wrapping key used in encryption) or a reasonable maximum (such as 5). For details, see [Limiting encrypted data keys](configure.md#config-limit-keys). The `--buffer` returns plaintext only after all input is processed, including verifying the digital signature if one is present. ------ #### [ Bash ] ``` \\ To run this example, replace the fictitious key ARN with a valid value. $ keyArn=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab $ aws-encryption-cli --decrypt \ --input hello.txt.encrypted \ --wrapping-keys key=$keyArn \ --commitment-policy require-encrypt-require-decrypt \ --encryption-context purpose=test \ --metadata-output ~/metadata \ --max-encrypted-data-keys 1 \ --buffer \ --output . ``` ------ #### [ PowerShell ] ``` \\ To run this example, replace the fictitious key ARN with a valid value. PS C:\> $keyArn = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' PS C:\> aws-encryption-cli --decrypt ` --input Hello.txt.encrypted ` --wrapping-keys key=$keyArn ` --commitment-policy require-encrypt-require-decrypt ` --encryption-context purpose=test ` --metadata-output $home\Metadata.txt ` --max-encrypted-data-keys 1 ` --buffer ` --output . ``` ------ When a decrypt command succeeds, it does not return any output. To determine whether the command succeeded, get the value of the `$?` variable. You can also use a directory listing command to see that the command created a new file with a `.decrypted` suffix. To see the plaintext content, use a command to get the file content, such as `cat` or [Get-Content](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-content). ------ #### [ Bash ] ``` $ ls hello.txt hello.txt.encrypted hello.txt.encrypted.decrypted $ cat hello.txt.encrypted.decrypted Hello World ``` ------ #### [ PowerShell ] ``` PS C:\> dir Directory: C:\TestCLI Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/17/2017 1:01 PM 11 Hello.txt -a---- 9/17/2017 1:06 PM 585 Hello.txt.encrypted -a---- 9/17/2017 1:08 PM 11 Hello.txt.encrypted.decrypted PS C:\> Get-Content Hello.txt.encrypted.decrypted Hello World ``` ------ ## Encrypting all files in a directory This example uses the AWS Encryption CLI to encrypt the contents of all of the files in a directory. When a command affects multiple files, the AWS Encryption CLI processes each file individually. It gets the file contents, gets a unique [data key](concepts.md#DEK) for the file from the master key, encrypts the file contents under the data key, and writes the results to a new file in the output directory. As a result, you can decrypt the output files independently. This listing of the `TestDir` directory shows the plaintext files that we want to encrypt. ------ #### [ Bash ] ``` $ ls testdir cool-new-thing.py hello.txt employees.csv ``` ------ #### [ PowerShell ] ``` PS C:\> dir C:\TestDir Directory: C:\TestDir Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/12/2017 3:11 PM 2139 cool-new-thing.py -a---- 9/15/2017 5:57 PM 11 Hello.txt -a---- 9/17/2017 1:44 PM 46 Employees.csv ``` ------ The first command saves the [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) of an AWS KMS key in the `$keyArn` variable. The second command encrypts the content of files in the `TestDir` directory and writes the files of encrypted content to the `TestEnc` directory. If the `TestEnc` directory doesn't exist, the command fails. Because the input location is a directory, the `--recursive` parameter is required. The [`--wrapping-keys` parameter](crypto-cli-how-to.md#crypto-cli-master-key), and its required **key** attribute, specify the wrapping key to use. The encrypt command includes an [encryption context](crypto-cli-how-to.md#crypto-cli-encryption-context), `dept=IT`. When you specify an encryption context in a command that encrypts multiple files, the same encryption context is used for all of the files. The command also has a `--metadata-output` parameter to tell the AWS Encryption CLI where to write the metadata about the encryption operations. The AWS Encryption CLI writes one metadata record for each file that was encrypted. The [`--commitment-policy parameter`](crypto-cli-how-to.md#crypto-cli-commitment-policy) is optional beginning in version 2.1.*x*, but it is recommended. If the command or script fails because it cannot decrypt a ciphertext, the explicit commitment policy setting might help you to detect the problem quickly. When the command completes, the AWS Encryption CLI writes the encrypted files to the `TestEnc` directory, but it does not return any output. The final command lists the files in the `TestEnc` directory. There is one output file of encrypted content for each input file of plaintext content. Because the command did not specify an alternate suffix, the encrypt command appended `.encrypted` to each of the input file names. ------ #### [ Bash ] ``` # To run this example, replace the fictitious key ARN with a valid master key identifier. $ keyArn=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab $ aws-encryption-cli --encrypt \ --input testdir --recursive\ --wrapping-keys key=$keyArn \ --encryption-context dept=IT \ --commitment-policy require-encrypt-require-decrypt \ --metadata-output ~/metadata \ --output testenc $ ls testenc cool-new-thing.py.encrypted employees.csv.encrypted hello.txt.encrypted ``` ------ #### [ PowerShell ] ``` # To run this example, replace the fictitious key ARN with a valid master key identifier. PS C:\> $keyArn = arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab PS C:\> aws-encryption-cli --encrypt ` --input .\TestDir --recursive ` --wrapping-keys key=$keyArn ` --encryption-context dept=IT ` --commitment-policy require-encrypt-require-decrypt ` --metadata-output .\Metadata\Metadata.txt ` --output .\TestEnc PS C:\> dir .\TestEnc Directory: C:\TestEnc Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/17/2017 2:32 PM 2713 cool-new-thing.py.encrypted -a---- 9/17/2017 2:32 PM 620 Hello.txt.encrypted -a---- 9/17/2017 2:32 PM 585 Employees.csv.encrypted ``` ------ ## Decrypting all files in a directory This example decrypts all files in a directory. It starts with the files in the `TestEnc` directory that were encrypted in the previous example. ------ #### [ Bash ] ``` $ ls testenc cool-new-thing.py.encrypted hello.txt.encrypted employees.csv.encrypted ``` ------ #### [ PowerShell ] ``` PS C:\> dir C:\TestEnc Directory: C:\TestEnc Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/17/2017 2:32 PM 2713 cool-new-thing.py.encrypted -a---- 9/17/2017 2:32 PM 620 Hello.txt.encrypted -a---- 9/17/2017 2:32 PM 585 Employees.csv.encrypted ``` ------ This decrypt command decrypts all of the files in the TestEnc directory and writes the plaintext files to the TestDec directory. The `--wrapping-keys` parameter with a **key** attribute and a [key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) value tells the AWS Encryption CLI which AWS KMS keys to use to decrypt the files. The command uses the `--interactive` parameter to tell the AWS Encryption CLI to prompt you before overwriting a file with the same name. This command also uses the encryption context that was provided when the files were encrypted. When decrypting multiple files, the AWS Encryption CLI checks the encryption context of every file. If the encryption context check on any file fails, the AWS Encryption CLI rejects the file, writes a warning, records the failure in the metadata, and then continues checking the remaining files. If the AWS Encryption CLI fails to decrypt a file for any other reason, the entire decrypt command fails immediately. In this example, the encrypted messages in all of the input files contain the `dept=IT` encryption context element. However, if you were decrypting messages with different encryption contexts, you might still be able to verify part of the encryption context. For example, if some messages had an encryption context of `dept=finance` and others had `dept=IT`, you could verify that the encryption context always contains a `dept` name without specifying the value. If you wanted to be more specific, you could decrypt the files in separate commands. The decrypt command does not return any output, but you can use a directory listing command to see that it created new files with the `.decrypted` suffix. To see the plaintext content, use a command to get the file content. ------ #### [ Bash ] ``` # To run this example, replace the fictitious key ARN with a valid master key identifier. $ keyArn=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab $ aws-encryption-cli --decrypt \ --input testenc --recursive \ --wrapping-keys key=$keyArn \ --encryption-context dept=IT \ --commitment-policy require-encrypt-require-decrypt \ --metadata-output ~/metadata \ --max-encrypted-data-keys 1 \ --buffer \ --output testdec --interactive $ ls testdec cool-new-thing.py.encrypted.decrypted hello.txt.encrypted.decrypted employees.csv.encrypted.decrypted ``` ------ #### [ PowerShell ] ``` # To run this example, replace the fictitious key ARN with a valid master key identifier. PS C:\> $keyArn = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' PS C:\> aws-encryption-cli --decrypt ` --input C:\TestEnc --recursive ` --wrapping-keys key=$keyArn ` --encryption-context dept=IT ` --commitment-policy require-encrypt-require-decrypt ` --metadata-output $home\Metadata.txt ` --max-encrypted-data-keys 1 ` --buffer ` --output C:\TestDec --interactive PS C:\> dir .\TestDec Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/8/2017 4:57 PM 2139 cool-new-thing.py.encrypted.decrypted -a---- 10/8/2017 4:57 PM 46 Employees.csv.encrypted.decrypted -a---- 10/8/2017 4:57 PM 11 Hello.txt.encrypted.decrypted ``` ------ ## Encrypting and decrypting on the command line These examples show you how to pipe input to commands (stdin) and write output to the command line (stdout). They explain how to represent stdin and stdout in a command and how to use the built-in Base64 encoding tools to prevent the shell from misinterpreting non-ASCII characters. This example pipes a plaintext string to an encrypt command and saves the encrypted message in a variable. Then, it pipes the encrypted message in the variable to a decrypt command, which writes its output to the pipeline (stdout). The example consists of three commands: + The first command saves the [key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) of an AWS KMS key in the `$keyArn` variable. ------ #### [ Bash ] ``` $ keyArn=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab ``` ------ #### [ PowerShell ] ``` PS C:\> $keyArn = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' ``` ------   + The second command pipes the `Hello World` string to the encrypt command and saves the result in the `$encrypted` variable. The `--input` and `--output` parameters are required in all AWS Encryption CLI commands. To indicate that input is being piped to the command (stdin), use a hyphen (`-`) for the value of the `--input` parameter. To send the output to the command line (stdout), use a hyphen for the value of the `--output` parameter. The `--encode` parameter Base64-encodes the output before returning it. This prevents the shell from misinterpreting the non-ASCII characters in the encrypted message. Because this command is just a proof of concept, we omit the encryption context and suppress the metadata (`-S`). ------ #### [ Bash ] ``` $ encrypted=$(echo 'Hello World' | aws-encryption-cli --encrypt -S \ --input - --output - --encode \ --wrapping-keys key=$keyArn ) ``` ------ #### [ PowerShell ] ``` PS C:\> $encrypted = 'Hello World' | aws-encryption-cli --encrypt -S ` --input - --output - --encode ` --wrapping-keys key=$keyArn ``` ------   + The third command pipes the encrypted message in the `$encrypted` variable to the decrypt command. This decrypt command uses `--input -` to indicate that input is coming from the pipeline (stdin) and `--output -` to send the output to the pipeline (stdout). (The input parameter takes the location of the input, not the actual input bytes, so you cannot use the `$encrypted` variable as the value of the `--input` parameter.) This example uses the **discovery** attribute of the `--wrapping-keys` parameter to allow the AWS Encryption CLI to use any AWS KMS key to decrypt the data. It doesn't specify a [commitment policy](concepts.md#commitment-policy), so it uses the default value for version 2.1.*x* and later, `require-encrypt-require-decrypt`. Because the output was encrypted and then encoded, the decrypt command uses the `--decode` parameter to decode Base64-encoded input before decrypting it. You can also use the `--decode` parameter to decode Base64-encoded input before encrypting it. Again, the command omits the encryption context and suppresses the metadata (-`S`). ------ #### [ Bash ] ``` $ echo $encrypted | aws-encryption-cli --decrypt --wrapping-keys discovery=true --input - --output - --decode --buffer -S Hello World ``` ------ #### [ PowerShell ] ``` PS C:\> $encrypted | aws-encryption-cli --decrypt --wrapping-keys discovery=$true --input - --output - --decode --buffer -S Hello World ``` ------ You can also perform the encrypt and decrypt operations in a single command without the intervening variable. As in the previous example, the `--input` and `--output` parameters have a `-` value and the command uses the `--encode` parameter to encode the output and the `--decode` parameter to decode the input. ------ #### [ Bash ] ``` $ keyArn=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab $ echo 'Hello World' | aws-encryption-cli --encrypt --wrapping-keys key=$keyArn --input - --output - --encode -S | aws-encryption-cli --decrypt --wrapping-keys discovery=true --input - --output - --decode -S Hello World ``` ------ #### [ PowerShell ] ``` PS C:\> $keyArn = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' PS C:\> 'Hello World' | aws-encryption-cli --encrypt --wrapping-keys key=$keyArn --input - --output - --encode -S | aws-encryption-cli --decrypt --wrapping-keys discovery=$true --input - --output - --decode -S Hello World ``` ------ ## Using multiple master keys This example shows how to use multiple master keys when encrypting and decrypting data in the AWS Encryption CLI. When you use multiple master keys to encrypt data, any one of the master keys can be used to decrypt the data. This strategy assures that you can decrypt the data even if one of the master keys is unavailable. If you are storing the encrypted data in multiple AWS Regions, this strategy lets you use a master key in the same Region to decrypt the data. When you encrypt with multiple master keys, the first master key plays a special role. It generates the data key that is used to encrypt the data. The remaining master keys encrypt the plaintext data key. The resulting [encrypted message](concepts.md#message) includes the encrypted data and a collection of encrypted data keys, one for each master key. Although the first master key generated the data key, any of the master keys can decrypt one of the data keys, which can be used to decrypt the data. **Encrypting with three master keys** This example command uses three wrapping keys to encrypt the `Finance.log` file, one in each of three AWS Regions. It writes the encrypted message to the `Archive` directory. The command uses the `--suffix` parameter with no value to suppress the suffix, so the input and output files names will be the same. The command uses the `--wrapping-keys` parameter with three **key** attributes. You can also use multiple `--wrapping-keys` parameters in the same command. To encrypt the log file, the AWS Encryption CLI asks the first wrapping key in the list, `$key1`, to generate the data key that it uses to encrypt the data. Then, it uses each of the other wrapping keys to encrypt a plaintext copy of the same data key. The encrypted message in the output file includes all three of the encrypted data keys. ------ #### [ Bash ] ``` $ key1=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab $ key2=arn:aws:kms:us-east-2:111122223333:key/0987ab65-43cd-21ef-09ab-87654321cdef $ key3=arn:aws:kms:ap-southeast-1:111122223333:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d $ aws-encryption-cli --encrypt --input /logs/finance.log \ --output /archive --suffix \ --encryption-context class=log \ --metadata-output ~/metadata \ --wrapping-keys key=$key1 key=$key2 key=$key3 ``` ------ #### [ PowerShell ] ``` PS C:\> $key1 = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' PS C:\> $key2 = 'arn:aws:kms:us-east-2:111122223333:key/0987ab65-43cd-21ef-09ab-87654321cdef' PS C:\> $key3 = 'arn:aws:kms:ap-southeast-1:111122223333:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d' PS C:\> aws-encryption-cli --encrypt --input D:\Logs\Finance.log ` --output D:\Archive --suffix ` --encryption-context class=log ` --metadata-output $home\Metadata.txt ` --wrapping-keys key=$key1 key=$key2 key=$key3 ``` ------ This command decrypts the encrypted copy of the `Finance.log` file and writes it to a `Finance.log.clear` file in the `Finance` directory. To decrypt data encrypted under three AWS KMS keys, you can specify the same three AWS KMS keys or any subset of them. This example specifies only one of the AWS KMS keys. To tell the AWS Encryption CLI which AWS KMS keys to use to decrypt your data, use the **key** attribute of the `--wrapping-keys` parameter. When decrypting with AWS KMS keys, the value of the **key** attribute must be a [key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN). You must have permission to call the [Decrypt API](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) on the AWS KMS keys you specify. For more information, see [ Authentication and Access Control for AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html). As a best practice, this examples use the `--max-encrypted-data-keys` parameter to avoid decrypting a malformed message with an excessive number of encrypted data keys. Even though this example uses only one wrapping key for decryption, the encrypted message has three (3) encrypted data keys; one for each of the three wrapping keys used when encrypting. Specify the expected number of encrypted data keys or a reasonable maximum value, such as 5. If you specify a maximum value less than 3, the command fails. For details, see [Limiting encrypted data keys](configure.md#config-limit-keys). ------ #### [ Bash ] ``` $ aws-encryption-cli --decrypt --input /archive/finance.log \ --wrapping-keys key=$key1 \ --output /finance --suffix '.clear' \ --metadata-output ~/metadata \ --max-encrypted-data-keys 3 \ --buffer \ --encryption-context class=log ``` ------ #### [ PowerShell ] ``` PS C:\> aws-encryption-cli --decrypt ` --input D:\Archive\Finance.log ` --wrapping-keys key=$key1 ` --output D:\Finance --suffix '.clear' ` --metadata-output .\Metadata\Metadata.txt ` --max-encrypted-data-keys 3 ` --buffer ` --encryption-context class=log ``` ------ ## Encrypting and decrypting in scripts This example shows how to use the AWS Encryption CLI in scripts. You can write scripts that just encrypt and decrypt data, or scripts that encrypt or decrypt as part of a data management process. In this example, the script gets a collection of log files, compresses them, encrypts them, and then copies the encrypted files to an Amazon S3 bucket. This script processes each file separately, so that you can decrypt and expand them independently. When you compress and encrypt files, be sure to compress before you encrypt. Properly encrypted data is not compressible. **Warning** Be careful when compressing data that includes both secrets and data that might be controlled by a malicious actor. The final size of the compressed data might inadvertently reveal sensitive information about its contents. ------ #### [ Bash ] ``` # Continue running even if an operation fails. set +e dir=$1 encryptionContext=$2 s3bucket=$3 s3folder=$4 masterKeyProvider="aws-kms" metadataOutput="/tmp/metadata-$(date +%s)" compress(){ gzip -qf $1 } encrypt(){ # -e encrypt # -i input # -o output # --metadata-output unique file for metadata # -m masterKey read from environment variable # -c encryption context read from the second argument. # -v be verbose aws-encryption-cli -e -i ${1} -o $(dirname ${1}) --metadata-output ${metadataOutput} -m key="${masterKey}" provider="${masterKeyProvider}" -c "${encryptionContext}" -v } s3put (){ # copy file argument 1 to s3 location passed into the script. aws s3 cp ${1} ${s3bucket}/${s3folder} } # Validate all required arguments are present. if [ "${dir}" ] && [ "${encryptionContext}" ] && [ "${s3bucket}" ] && [ "${s3folder}" ] && [ "${masterKey}" ]; then # Is $dir a valid directory? test -d "${dir}" if [ $? -ne 0 ]; then echo "Input is not a directory; exiting" exit 1 fi # Iterate over all the files in the directory, except *gz and *encrypted (in case of a re-run). for f in $(find ${dir} -type f \( -name "*" ! -name \*.gz ! -name \*encrypted \) ); do echo "Working on $f" compress ${f} encrypt ${f}.gz rm -f ${f}.gz s3put ${f}.gz.encrypted done; else echo "Arguments: " echo " and ENV var \$masterKey must be set" exit 255 fi ``` ------ #### [ PowerShell ] ``` #Requires -Modules AWSPowerShell, Microsoft.PowerShell.Archive Param ( [Parameter(Mandatory)] [ValidateScript({Test-Path $_})] [String[]] $FilePath, [Parameter()] [Switch] $Recurse, [Parameter(Mandatory=$true)] [String] $wrappingKeyID, [Parameter()] [String] $masterKeyProvider = 'aws-kms', [Parameter(Mandatory)] [ValidateScript({Test-Path $_})] [String] $ZipDirectory, [Parameter(Mandatory)] [ValidateScript({Test-Path $_})] [String] $EncryptDirectory, [Parameter()] [String] $EncryptionContext, [Parameter(Mandatory)] [ValidateScript({Test-Path $_})] [String] $MetadataDirectory, [Parameter(Mandatory)] [ValidateScript({Test-S3Bucket -BucketName $_})] [String] $S3Bucket, [Parameter()] [String] $S3BucketFolder ) BEGIN {} PROCESS { if ($files = dir $FilePath -Recurse:$Recurse) { # Step 1: Compress foreach ($file in $files) { $fileName = $file.Name try { Microsoft.PowerShell.Archive\Compress-Archive -Path $file.FullName -DestinationPath $ZipDirectory\$filename.zip } catch { Write-Error "Zip failed on $file.FullName" } # Step 2: Encrypt if (-not (Test-Path "$ZipDirectory\$filename.zip")) { Write-Error "Cannot find zipped file: $ZipDirectory\$filename.zip" } else { # 2>&1 captures command output $err = (aws-encryption-cli -e -i "$ZipDirectory\$filename.zip" ` -o $EncryptDirectory ` -m key=$wrappingKeyID provider=$masterKeyProvider ` -c $EncryptionContext ` --metadata-output $MetadataDirectory ` -v) 2>&1 # Check error status if ($? -eq $false) { # Write the error $err } elseif (Test-Path "$EncryptDirectory\$fileName.zip.encrypted") { # Step 3: Write to S3 bucket if ($S3BucketFolder) { Write-S3Object -BucketName $S3Bucket -File "$EncryptDirectory\$fileName.zip.encrypted" -Key "$S3BucketFolder/$fileName.zip.encrypted" } else { Write-S3Object -BucketName $S3Bucket -File "$EncryptDirectory\$fileName.zip.encrypted" } } } } } } ``` ------ ## Using data key caching This example uses [data key caching](data-key-caching.md) in a command that encrypts a large number of files. By default, the AWS Encryption CLI (and other versions of the AWS Encryption SDK) generates a unique data key for each file that it encrypts. Although using a unique data key for each operation is a cryptographic best practice, limited reuse of data keys is acceptable for some situations. If you are considering data key caching, consult with a security engineer to understand the security requirements of your application and determine security thresholds that are right for you. In this example, data key caching speeds up the encryption operation by reducing the frequency of requests to the master key provider. The command in this example encrypts a large directory with multiple subdirectories that contain a total of approximately 800 small log files. The first command saves the ARN of the AWS KMS key in a `keyARN` variable. The second command encrypts all of the files in the input directory (recursively) and writes them to an archive directory. The command uses the `--suffix` parameter to specify the `.archive` suffix. The `--caching` parameter enables data key caching. The **capacity** attribute, which limits the number of data keys in the cache, is set to 1, because serial file processing never uses more than one data key at a time. The **max\$1age** attribute, which determines how long the cached data key can used, is set to 10 seconds. The optional **max\$1messages\$1encrypted** attribute is set to 10 messages, so a single data key is never used to encrypt more than 10 files. Limiting the number of files encrypted by each data key reduces the number of files that would be affected in the unlikely event that a data key was compromised. To run this command on log files that your operating system generates, you might need administrator permissions (`sudo` in Linux; **Run as Administrator** in Windows). ------ #### [ Bash ] ``` $ keyArn=arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab $ aws-encryption-cli --encrypt \ --input /var/log/httpd --recursive \ --output ~/archive --suffix .archive \ --wrapping-keys key=$keyArn \ --encryption-context class=log \ --suppress-metadata \ --caching capacity=1 max_age=10 max_messages_encrypted=10 ``` ------ #### [ PowerShell ] ``` PS C:\> $keyARN = 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab' PS C:\> aws-encryption-cli --encrypt ` --input C:\Windows\Logs --recursive ` --output $home\Archive --suffix '.archive' ` --wrapping-keys key=$keyARN ` --encryption-context class=log ` --suppress-metadata ` --caching capacity=1 max_age=10 max_messages_encrypted=10 ``` ------ To test the effect of data key caching, this example uses the [Measure-Command](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/measure-command) cmdlet in PowerShell. When you run this example without data key caching, it takes about 25 seconds to complete. This process generates a new data key for each file in the directory. ``` PS C:\> Measure-Command {aws-encryption-cli --encrypt ` --input C:\Windows\Logs --recursive ` --output $home\Archive --suffix '.archive' ` --wrapping-keys key=$keyARN ` --encryption-context class=log ` --suppress-metadata } Days : 0 Hours : 0 Minutes : 0 Seconds : 25 Milliseconds : 453 Ticks : 254531202 TotalDays : 0.000294596298611111 TotalHours : 0.00707031116666667 TotalMinutes : 0.42421867 TotalSeconds : 25.4531202 TotalMilliseconds : 25453.1202 ``` Data key caching makes the process quicker, even when you limit each data key to a maximum of 10 files. The command now takes less than 12 seconds to complete and reduces the number of calls to the master key provider to 1/10 of the original value. ``` PS C:\> Measure-Command {aws-encryption-cli --encrypt ` --input C:\Windows\Logs --recursive ` --output $home\Archive --suffix '.archive' ` --wrapping-keys key=$keyARN ` --encryption-context class=log ` --suppress-metadata ` --caching capacity=1 max_age=10 max_messages_encrypted=10} Days : 0 Hours : 0 Minutes : 0 Seconds : 11 Milliseconds : 813 Ticks : 118132640 TotalDays : 0.000136727592592593 TotalHours : 0.00328146222222222 TotalMinutes : 0.196887733333333 TotalSeconds : 11.813264 TotalMilliseconds : 11813.264 ``` If you eliminate the `max_messages_encrypted` restriction, all files are encrypted under the same data key. This change increases the risk of reusing data keys without making the process much faster. However, it reduces the number of calls to the master key provider to 1. ``` PS C:\> Measure-Command {aws-encryption-cli --encrypt ` --input C:\Windows\Logs --recursive ` --output $home\Archive --suffix '.archive' ` --wrapping-keys key=$keyARN ` --encryption-context class=log ` --suppress-metadata ` --caching capacity=1 max_age=10} Days : 0 Hours : 0 Minutes : 0 Seconds : 10 Milliseconds : 252 Ticks : 102523367 TotalDays : 0.000118661304398148 TotalHours : 0.00284787130555556 TotalMinutes : 0.170872278333333 TotalSeconds : 10.2523367 TotalMilliseconds : 10252.3367 ``` # AWS Encryption SDK CLI syntax and parameter reference This topic provides syntax diagrams and brief parameter descriptions to help you use the AWS Encryption SDK Command Line Interface (CLI). For help with wrapping keys and other parameters, see [How to use the AWS Encryption CLI](crypto-cli-how-to.md). For examples, see [Examples of the AWS Encryption CLI](crypto-cli-examples.md). For complete documentation, see [Read the Docs](https://aws-encryption-sdk-cli.readthedocs.io/en/latest/). **Topics** + [ ## AWS Encryption CLI syntax ](#crypto-cli-syntax) + [ ## AWS Encryption CLI command line parameters ](#crypto-cli-parameters) + [ ## Advanced parameters ](#cli-advanced-parameters) ## AWS Encryption CLI syntax These AWS Encryption CLI syntax diagrams show the syntax for each task that you perform with the AWS Encryption CLI. They represent recommended syntax in AWS Encryption CLI version 2.1.*x* and later. New security features were originally released in AWS Encryption CLI versions 1.7.*x* and 2.0.*x*. However, AWS Encryption CLI version 1.8.*x* replaces version 1.7.*x* and AWS Encryption CLI 2.1.*x* replaces 2.0.*x*. For details, see the relevant [security advisory](https://github.com/aws/aws-encryption-sdk-cli/security/advisories/GHSA-2xwp-m7mq-7q3r) in the [aws-encryption-sdk-cli](https://github.com/aws/aws-encryption-sdk-cli/) repository on GitHub. **Note** Unless noted in the parameter description, each parameter or attribute can be used only once in each command. If you use an attribute that a parameter does not support, the AWS Encryption CLI ignores that unsupported attribute without a warning or error. **Get help** To get the full AWS Encryption CLI syntax with parameter descriptions, use `--help` or `-h`. ``` aws-encryption-cli (--help | -h) ``` **Get the version** To get the version number of your AWS Encryption CLI installation, use `--version`. Be sure to include the version when you ask questions, report problems, or share tips about using the AWS Encryption CLI. ``` aws-encryption-cli --version ``` **Encrypt data** The following syntax diagram shows the parameters that an **encrypt** command uses. ``` aws-encryption-cli --encrypt --input [--recursive] [--decode] --output [--interactive] [--no-overwrite] [--suffix []] [--encode] --wrapping-keys [--wrapping-keys] ... key= [key=] ... [provider=] [region=] [profile=] --metadata-output [--overwrite-metadata] | --suppress-metadata] [--commitment-policy ] [--encryption-context [ ...]] [--max-encrypted-data-keys ] [--algorithm ] [--caching ] [--frame-length ] [-v | -vv | -vvv | -vvvv] [--quiet] ``` **Decrypt data** The following syntax diagram shows the parameters that a **decrypt** command uses. In version 1.8.*x*, the `--wrapping-keys` parameter is optional when decrypting, but recommended. Beginning in version 2.1.*x*, the `--wrapping-keys` parameter is required when encrypting and decrypting. For AWS KMS keys, you can use the **key** attribute to specify wrapping keys (best practice) or set the **discovery** attribute to `true`, which doesn't limit the wrapping keys that the AWS Encryption CLI can use. ``` aws-encryption-cli --decrypt (or [--decrypt-unsigned]) --input [--recursive] [--decode] --output [--interactive] [--no-overwrite] [--suffix []] [--encode] --wrapping-keys [--wrapping-keys] ... [key=] [key=] ... [discovery={true|false}] [discovery-partition= discovery-account= [discovery-account=] ...] [provider=] [region=] [profile=] --metadata-output [--overwrite-metadata] | --suppress-metadata] [--commitment-policy ] [--encryption-context [ ...]] [--buffer] [--max-encrypted-data-keys ] [--caching ] [--max-length ] [-v | -vv | -vvv | -vvvv] [--quiet] ``` **Use configuration files** You can refer to configuration files that contain parameters and their values. This is equivalent to typing the parameters and values in the command. For an example, see [How to store parameters in a configuration file](crypto-cli-how-to.md#crypto-cli-config-file). ``` aws-encryption-cli @ # In a PowerShell console, use a backtick to escape the @. aws-encryption-cli `@ ``` ## AWS Encryption CLI command line parameters This list provides a basic description of the AWS Encryption CLI command parameters. For a complete description, see the [aws-encryption-sdk-cli documentation](http://aws-encryption-sdk-cli.readthedocs.io/en/latest/). **--encrypt (-e)** Encrypts the input data. Every command must have an `--encrypt`, or `--decrypt`, or `--decrypt-unsigned` parameter. **--decrypt (-d)** Decrypts the input data. Every command must have an `--encrypt`, `--decrypt`, or `--decrypt-unsigned` parameter. **--decrypt-unsigned [Introduced in versions 1.9.*x* and 2.2.*x*]** The `--decrypt-unsigned` parameter decrypts ciphertext and ensures that messages are unsigned before decryption. Use this parameter if you used the `--algorithm` parameter and selected an algorithm suite without digital signing to encrypt data. If the ciphertext is signed, decryption fails. You can use `--decrypt` or `--decrypt-unsigned` for decryption but not both. **--wrapping-keys (-w) [Introduced in version 1.8.*x*]** Specifies the [wrapping keys](concepts.md#master-key) (or *master keys*) used in encryption and decryption operations. You can use [multiple `--wrapping-keys` parameters](crypto-cli-how-to.md#cli-many-cmks) in each command. Beginning in version 2.1.*x*, the `--wrapping-keys` parameter is required in encrypt and decrypt commands. In version 1.8.*x*, encrypt commands require either a `--wrapping-keys` or `--master-keys` parameter. In version 1.8.*x* decrypt commands, a `--wrapping-keys` parameter is optional but recommended. When using a custom master key provider, encrypt and decrypt commands require **key** and **provider** attributes. When using AWS KMS keys, encrypt commands require a **key** attribute. Decrypt commands require a **key** attribute or a **discovery** attribute with a value of `true` (but not both). Using the **key** attribute when decrypting is an [AWS Encryption SDK best practice](best-practices.md). It is particularly important if you're decrypting batches of unfamiliar messages, such as those in an Amazon S3 bucket or an Amazon SQS queue. For an example showing how to use AWS KMS multi-Region keys as wrapping keys, see [Using multi-Region AWS KMS keys](configure.md#config-mrks). **Attributes**: The value of the `--wrapping-keys` parameter consists of the following attributes. The format is `attribute_name=value`. **key** Identifies the wrapping key used in the operation. The format is a **key**=ID pair. You can specify multiple **key** attributes in each `--wrapping-keys` parameter value. + **Encrypt commands**: All encrypt commands require the **key** attribute . When you use an AWS KMS key in an encrypt command, the value of the **key** attribute can be a key ID, key ARN, an alias name, or an alias ARN. For descriptions of the AWS KMS key identifiers, see [Key identifiers](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide*. + **Decrypt commands**: When decrypting with AWS KMS keys, the `--wrapping-keys` parameter requires a **key** attribute with a [key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN) value or a **discovery** attribute with a value of `true` (but not both). Using the **key** attribute is an [AWS Encryption SDK best practice](best-practices.md). When decrypting with a custom master key provider, the **key** attribute is required. **Note** To specify an AWS KMS wrapping key in a decrypt command, the value of the **key** attribute must be a key ARN. If you use a key ID, alias name, or alias ARN, the AWS Encryption CLI does not recognize the wrapping key. You can specify multiple **key** attributes in each `--wrapping-keys` parameter value. However, any **provider**, **region**, and **profile** attributes in a `--wrapping-keys` parameter apply to all wrapping keys in that parameter value. To specify wrapping keys with different attribute values, use multiple `--wrapping-keys` parameters in the command. **discovery** Allows the AWS Encryption CLI to use any AWS KMS key to decrypt the message. The **discovery** value can be `true` or `false`. The default value is `false`. The **discovery** attribute is valid only in decrypt commands and only when the master key provider is AWS KMS. When decrypting with AWS KMS keys, the `--wrapping-keys` parameter requires a **key** attribute or a **discovery** attribute with a value of `true` (but not both). If you use the **key** attribute, you can use a **discovery** attribute with a value of `false` to explicitly reject discovery. + `False` (default) — When the **discovery** attribute isn't specified or its value is `false`, the AWS Encryption CLI decrypts the message using only the AWS KMS keys specified by the **key** attribute of the `--wrapping-keys` parameter. If you don't specify a **key** attribute when discovery is `false`, the decrypt command fails. This value supports an AWS Encryption CLI [best practice](best-practices.md). + `True` — When the value of the **discovery** attribute is `true`, the AWS Encryption CLI gets the AWS KMS keys from metadata in the encrypted message, and uses those AWS KMS keys to decrypt the message. The **discovery** attribute with a value of `true` behaves like versions of the AWS Encryption CLI before version 1.8.*x* that didn't permit you to specify a wrapping key when decrypting. However, your intent to use any AWS KMS key is explicit. If you specify a **key** attribute when discovery is `true`, the decrypt command fails. The `true` value might cause the AWS Encryption CLI to use AWS KMS keys in different AWS accounts and Regions, or attempt to use AWS KMS keys that the user isn't authorized to use. When **discovery** is `true`, it's a best practice to use the **discovery-partition** and **discovery-account** attributes to limit the AWS KMS keys used to those in the AWS accounts you specify. **discovery-account** Limits the AWS KMS keys used for decrypting to those in the specified AWS account. The only valid value for this attribute is an [AWS account ID](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). This attribute is optional and valid only in decrypt commands with AWS KMS keys where the **discovery** attribute is set to `true` and the **discovery-partition** attribute is specified. Each **discovery-account** attribute takes just one AWS account ID, but you can specify multiple **discovery-account** attributes in the same `--wrapping-keys` parameter. All accounts specified in a given `--wrapping-keys` parameter must be in the specified AWS partition. **discovery-partition** Specifies the AWS partition for the accounts in the **discovery-account** attribute. Its value must be an AWS partition, such as `aws`, `aws-cn`, or `aws-gov-cloud`. For information, see [Amazon Resource Names](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-syntax) in the *AWS General Reference*. This attribute is required when you use the **discovery-account** attribute. You can specify only one **discovery-partition** attribute in each `--wrapping keys` parameter. To specify AWS accounts in multiple partitions, use an additional `--wrapping-keys` parameter. **provider** Identifies the [master key provider](concepts.md#master-key-provider). The format is a **provider**=ID pair. The default value, **aws-kms**, represents AWS KMS. This attribute is required only when the master key provider is not AWS KMS. **region** Identifies the AWS Region of an AWS KMS key. This attribute is valid only for AWS KMS keys. It is used only when the **key** identifier does not specify a Region; otherwise, it is ignored. When it is used, it overrides the default Region in the AWS CLI named profile. **profile** Identifies an AWS CLI [named profile](https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html). This attribute is valid only for AWS KMS keys. The Region in the profile is used only when the key identifier does not specify a Region and there is no **region** attribute in the command. **--input (-i)** Specifies the location of the data to encrypt or decrypt. This parameter is required. The value can be a path to a file or directory, or a file name pattern. If you are piping input to the command (stdin), use `-`. If the input does not exist, the command completes successfully without error or warning. **--recursive (-r, -R)** Performs the operation on files in the input directory and its subdirectories. This parameter is required when the value of `--input` is a directory. **--decode** Decodes Base64-encoded input. If you are decrypting a message that was encrypted and then encoded, you must decode the message before decrypting it. This parameter does that for you. For example, if you used the `--encode` parameter in an encrypt command, use the `--decode` parameter in the corresponding decrypt command. You can also use this parameter to decode Base64-encoded input before you encrypt it. **--output (-o)** Specifies a destination for the output. This parameter is required. The value can be a file name, an existing directory, or `-`, which writes output to the command line (stdout). If the specified output directory does not exist, the command fails. If the input contains subdirectories, the AWS Encryption CLI reproduces the subdirectories under the output directory that you specify. By default, the AWS Encryption CLI overwrites files with the same name. To change that behavior, use the `--interactive` or `--no-overwrite` parameters. To suppress the overwrite warning, use the `--quiet` parameter. If a command that would overwrite an output file fails, the output file is deleted. **--interactive** Prompts before overwriting the file. **--no-overwrite** Does not overwrite files. Instead, if the output file exists, the AWS Encryption CLI skips the corresponding input. **--suffix** Specifies a custom file name suffix for files that the AWS Encryption CLI creates. To indicate no suffix, use the parameter with no value (`--suffix`). By default, when the `--output` parameter does not specify a file name, the output file name has the same name as the input file name plus the suffix. The suffix for encrypt commands is `.encrypted`. The suffix for decrypt commands is `.decrypted`. **--encode** Applies Base64 (binary to text) encoding to the output. Encoding prevents the shell host program from misinterpreting non-ASCII characters in output text. Use this parameter when writing encrypted output to stdout (`--output -`), especially in a PowerShell console, even when you are piping the output to another command or saving it in a variable. **--metadata-output** Specifies a location for metadata about the cryptographic operations. Enter a path and file name. If the directory does not exist, the command fails. To write the metadata to the command line (stdout), use `-`. You cannot write command output (`--output`) and metadata output (`--metadata-output`) to stdout in the same command. Also, when the value of `--input` or `--output` is a directory (without file names), you cannot write the metadata output to the same directory or to any subdirectory of that directory. If you specify an existing file, by default, the AWS Encryption CLI appends new metadata records to any content in the file. This feature lets you create a single file that contains the metadata for all of your cryptographic operations. To overwrite the content in an existing file, use the `--overwrite-metadata` parameter. The AWS Encryption CLI returns a JSON-formatted metadata record for each encryption or decryption operation that the command performs. Each metadata record includes the full paths to the input and output file, the encryption context, the algorithm suite, and other valuable information that you can use to review the operation and verify that it meets your security standards. **--overwrite-metadata** Overwrites the content in the metadata output file. By default, the `--metadata-output` parameter appends metadata to any existing content in the file. **--suppress-metadata (-S)** Suppresses the metadata about the encryption or decryption operation. **--commitment-policy** Specifies the [commitment policy](concepts.md#commitment-policy) for encrypt and decrypt commands. The commitment policy determines whether your message is encrypted and decrypted with the [key commitment](concepts.md#key-commitment) security feature. The `--commitment-policy` parameter is introduced in version 1.8.*x*. It is valid in encrypt and decrypt commands. **In version 1.8.*x***, the AWS Encryption CLI uses the `forbid-encrypt-allow-decrypt` commitment policy for all encrypt and decrypt operations. When you use the `--wrapping-keys` parameter in an encrypt or decrypt command, a `--commitment-policy` parameter with the `forbid-encrypt-allow-decrypt` value is required. If you don't use the `--wrapping-keys` parameter, the `--commitment-policy` parameter is invalid. Setting a commitment policy explicitly prevents your commitment policy from changing automatically to `require-encrypt-require-decrypt` when you upgrade to version 2.1.*x* Beginning in **version 2.1.*x***, all commitment policy values are supported. The `--commitment-policy` parameter is optional and the default value is `require-encrypt-require-decrypt`. This parameter has the following values: + `forbid-encrypt-allow-decrypt` — Cannot encrypt with key commitment. It can decrypt ciphertexts encrypted with or without key commitment. In version 1.8.*x*, this is the only valid value. The AWS Encryption CLI uses the `forbid-encrypt-allow-decrypt` commitment policy for all encrypt and decrypt operations. + `require-encrypt-allow-decrypt` — Encrypts only with key commitment. Decrypts with and without key commitment. This value is introduced in version 2.1.*x*. + `require-encrypt-require-decrypt` (default) — Encrypts and decrypts only with key commitment. This value is introduced in version 2.1.*x*. It is the default value in versions 2.1.*x* and later. With this value, the AWS Encryption CLI will not decrypt any ciphertext that was encrypted with earlier versions of the AWS Encryption SDK. For detailed information about setting your commitment policy, see [Migrating your AWS Encryption SDK](migration.md). **--encryption-context (-c)** Specifies an [encryption context](crypto-cli-how-to.md#crypto-cli-encryption-context) for the operation. This parameter is not required, but it is recommended. + In an `--encrypt` command, enter one or more `name=value` pairs. Use spaces to separate the pairs. + In a `--decrypt` command, enter `name=value` pairs, `name` elements with no values, or both. If the `name` or `value` in a `name=value` pair includes spaces or special characters, enclose the entire pair in quotation marks. For example, `--encryption-context "department=software development"`. **--buffer (-b) [Introduced in versions 1.9.*x* and 2.2.*x*]** Returns plaintext only after all input is processed, including verifying the digital signature if one is present. **--max-encrypted-data-keys [Introduced in versions 1.9.*x* and 2.2.*x*]** Specifies the maximum number of encrypted data keys in an encrypted message. This parameter is optional. Valid values are 1 – 65,535. If you omit this parameter, the AWS Encryption CLI does not enforce any maximum. An encrypted message can hold up to 65,535 (2^16 - 1) encrypted data keys. You can use this parameter in encrypt commands to prevent a malformed message. You can use it in decrypt commands to detect malicious messages and avoid decrypting messages with numerous encrypted data keys that you can't decrypt. For details and an example, see [Limiting encrypted data keys](configure.md#config-limit-keys). **--help (-h)** Prints usage and syntax at the command line. **--version** Gets the version of the AWS Encryption CLI. **-v \$1 -vv \$1 -vvv \$1 -vvvv** Displays verbose information, warning, and debugging messages. The detail in the output increases with the number of `v`s in the parameter. The most detailed setting (`-vvvv`) returns debugging-level data from the AWS Encryption CLI and all of the components that it uses. **--quiet (-q)** Suppresses warning messages, such as the message that appears when you overwrite an output file. **--master-keys (-m) [Deprecated]** The --master-keys parameter is deprecated in 1.8.*x* and removed in version 2.1.*x*. Instead, use the [--wrapping-keys](#wrapping-keys) parameter. Specifies the [master keys](concepts.md#master-key) used in encryption and decryption operations. You can use multiple master keys parameters in each command. The `--master-keys` parameter is required in encrypt commands. It is required in decrypt commands only when you are using a custom (non-AWS KMS) master key provider. **Attributes**: The value of the `--master-keys` parameter consists of the following attributes. The format is `attribute_name=value`. **key** Identifies the [wrapping key](concepts.md#master-key) used in the operation. The format is a **key**=ID pair. The **key** attribute is required in all encrypt commands. When you use an AWS KMS key in an encrypt command, the value of the **key** attribute can be a key ID, key ARN, an alias name, or an alias ARN. For details about AWS KMS key identifiers, see [Key identifiers](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) in the *AWS Key Management Service Developer Guide*. The **key** attribute is required in decrypt commands when the master key provider is not AWS KMS. The **key** attribute is not permitted in commands that decrypt data that was encrypted under an AWS KMS key. You can specify multiple **key** attributes in each `--master-keys` parameter value. However, any **provider**, **region**, and **profile** attributes apply to all master keys in the parameter value. To specify master keys with different attribute values, use multiple `--master-keys` parameters in the command. **provider** Identifies the [master key provider](concepts.md#master-key-provider). The format is a **provider**=ID pair. The default value, **aws-kms**, represents AWS KMS. This attribute is required only when the master key provider is not AWS KMS. **region** Identifies the AWS Region of an AWS KMS key. This attribute is valid only for AWS KMS keys. It is used only when the **key** identifier does not specify a Region; otherwise, it is ignored. When it is used, it overrides the default Region in the AWS CLI named profile. **profile** Identifies an AWS CLI [named profile](https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html). This attribute is valid only for AWS KMS keys. The Region in the profile is used only when the key identifier does not specify a Region and there is no **region** attribute in the command. ## Advanced parameters **--algorithm** Specifies an alternate [algorithm suite](concepts.md#crypto-algorithm). This parameter is optional and valid only in encrypt commands. If you omit this parameter, the AWS Encryption CLI uses one of the default algorithm suites for the AWS Encryption SDK introduced in version 1.8.*x*. Both default algorithms use AES-GCM with an [HKDF](https://en.wikipedia.org/wiki/HKDF), an ECDSA signature, and a 256-bit encryption key. One uses key commitment; one does not. The choice of default algorithm suite is determined by the [commitment policy](concepts.md#commitment-policy) for the command. The default algorithm suites are recommended for most encryption operations. For a list of valid values, see the values for the `algorithm` parameter in [Read the Docs](https://aws-encryption-sdk-cli.readthedocs.io/en/latest/index.html#execution). **--frame-length** Creates output with specified frame length. This parameter is optional and valid only in encrypt commands. Enter a value in bytes. Valid values are 0 and 1 – 2^31 - 1. A value of 0 indicates nonframed data. The default is 4096 (bytes). Whenever possible, use framed data. The AWS Encryption SDK supports nonframed data only for legacy use. Some language implementations of the AWS Encryption SDK can still generate nonframed ciphertext. All supported language implementations can decrypt framed and nonframed ciphertext. **--max-length** Indicates the maximum frame size (or maximum content length for nonframed messages) in bytes to read from encrypted messages. This parameter is optional and valid only in decrypt commands. It is designed to protect you from decrypting extremely large malicious ciphertext. Enter a value in bytes. If you omit this parameter, the AWS Encryption SDK does not limit the frame size when decrypting. **--caching** Enables the [data key caching](data-key-caching.md) feature, which reuses data keys, instead of generating a new data key for each input file. This parameter supports an advanced scenario. Be sure to read the [Data Key Caching](data-key-caching.md) documentation before using this feature. The `--caching` parameter has the following attributes. **capacity (required)** Determines the maximum number of entries in the cache. The minimum value is 1. There is no maximum value. **max\$1age (required)** Determine how long cache entries are used, in seconds, beginning when they are added to the cache. Enter a value greater than 0. There is no maximum value. **max\$1messages\$1encrypted (optional)** Determines the maximum number of messages that a cached entry can encrypt. Valid values are 1 – 2^32. The default value is 2^32 (messages). **max\$1bytes\$1encrypted (optional)** Determines the maximum number of bytes that a cached entry can encrypt. Valid values are 0 and 1 – 2^63 - 1. The default value is 2^63 - 1 (messages). A value of 0 lets you use data key caching only when you are encrypting empty message strings. # Versions of the AWS Encryption CLI We recommend that you use the latest version of the AWS Encryption CLI. **Note** Versions of the AWS Encryption CLI earlier than 4.0.0 are in the [end-of-support phase](https://docs.aws.amazon.com/sdkref/latest/guide/maint-policy.html#version-life-cycle). You can safely update from version 2.1.*x* and later to the latest version of the AWS Encryption CLI without any code or data changes. However, [ new security features](about-versions.md#version-2) introduced in version 2.1.*x* are not backward-compatible. To update from version 1.7.*x* or earlier, you must first update to the latest 1.*x* version of the AWS Encryption CLI. For details, see [Migrating your AWS Encryption SDK](migration.md). New security features were originally released in AWS Encryption CLI versions 1.7.*x* and 2.0.*x*. However, AWS Encryption CLI version 1.8.*x* replaces version 1.7.*x* and AWS Encryption CLI 2.1.*x* replaces 2.0.*x*. For details, see the relevant [security advisory](https://github.com/aws/aws-encryption-sdk-cli/security/advisories/GHSA-2xwp-m7mq-7q3r) in the [aws-encryption-sdk-cli](https://github.com/aws/aws-encryption-sdk-cli/) repository on GitHub. For information about significant versions of the AWS Encryption SDK, see [Versions of the AWS Encryption SDK](about-versions.md). **Which version do I use?** If you're new to the AWS Encryption CLI, use the latest version. To decrypt data encrypted by a version of the AWS Encryption SDK earlier than version 1.7.*x*, migrate first to the latest version of the AWS Encryption CLI. Make [all recommended changes](migration-guide.md) before updating to version 2.1.*x* or later. For details, see [Migrating your AWS Encryption SDK](migration.md). **Learn more** + For detailed information about the changes and guidance for migrating to these new versions, see [Migrating your AWS Encryption SDK](migration.md). + For descriptions of the new AWS Encryption CLI parameters and attributes, see [AWS Encryption SDK CLI syntax and parameter reference](crypto-cli-reference.md). The following lists describe the change to the AWS Encryption CLI in versions 1.8.*x* and 2.1.*x*. ## Version 1.8.*x* changes to the AWS Encryption CLI + Deprecates the `--master-keys` parameter. Instead, use the `--wrapping-keys` parameter. + Adds the `--wrapping-keys` (`-w`) parameter. It supports all attributes of the `--master-keys` parameter. It also adds the following optional attributes, which are valid only when decrypting with AWS KMS keys. + **discovery** + **discovery-partition** + **discovery-account** For custom master key providers, `--encrypt` and -`-decrypt` commands require either a `--wrapping-keys` parameter or a `--master-keys` parameter (but not both). Also, an `--encrypt` command with AWS KMS keys requires either a `--wrapping-keys` parameter or a `--master-keys` parameter (but not both). In a `--decrypt` command with AWS KMS keys, the `--wrapping-keys` parameter is optional, but recommended, because it is required in version 2.1.*x*. If you use it, you must specify either the **key** attribute or the **discovery** attribute with a value of `true` (but not both). + Adds the `--commitment-policy` parameter. The only valid value is `forbid-encrypt-allow-decrypt`. The `forbid-encrypt-allow-decrypt` commitment policy is used in all encrypt and decrypt commands. In version 1.8.*x*, when you use the `--wrapping-keys` parameter, a `--commitment-policy` parameter with the `forbid-encrypt-allow-decrypt` value is required. Setting the value explicitly prevents your [commitment policy](concepts.md#commitment-policy) from changing automatically to `require-encrypt-require-decrypt` when you upgrade to version 2.1.*x*. ## Version 2.1.*x* changes to the AWS Encryption CLI + Removes the `--master-keys` parameter. Instead, use the `--wrapping-keys` parameter. + The `--wrapping-keys` parameter is required in all encrypt and decrypt commands. You must specify either a **key** attribute or a **discovery** attribute with a value of `true` (but not both). + The `--commitment-policy` parameter supports the following values. For details, see [Setting your commitment policy](migrate-commitment-policy.md). + `forbid-encrypt-allow-decrypt` + `require-encrypt-allow-decrypt` + `require-encrypt-require decrypt` (Default) + The `--commitment-policy` parameter is optional in version 2.1.*x*. The default value is `require-encrypt-require-decrypt`. ## Version 1.9.*x* and 2.2.*x* changes to the AWS Encryption CLI + Adds the `--decrypt-unsigned` parameter. For details, see [Version 2.2.*x*](about-versions.md#version2.2.x). + Adds the `--buffer` parameter. For details, see [Version 2.2.*x*](about-versions.md#version2.2.x). + Adds the `--max-encrypted-data-keys` parameter. For details, see [Limiting encrypted data keys](configure.md#config-limit-keys). ## Version 3.0.*x* changes to the AWS Encryption CLI + Adds support for AWS KMS multi-Region keys. For details, see [Using multi-Region AWS KMS keys](configure.md#config-mrks).