channingdata commented on issue #43426:
URL: https://github.com/apache/arrow/issues/43426#issuecomment-2259816283
i got encryption to work by modiying the kms client. now im having problem
with the decryption. im having the following error:
`botocore.errorfactory.InvalidCiphertextException: An error occurred
(InvalidCiphertextException) when calling the Decrypt operation: `
Possible reason:
it's just weird that im having that the wrapped key is having length of 3
when reading the encrypted file but should have 16 based on the encryption logs
aws_kms_client.py
`import logging
import base64
import boto3
import pyarrow.parquet.encryption as pe
import random
# Configure logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)
class AwsKmsClient(pe.KmsClient):
def __init__(self, kms_client, key_arn_map):
super().__init__()
self.kms_client = kms_client
self.key_arn_map = key_arn_map
def wrap_key(self, key_bytes, master_key_identifier):
key_arn = self.key_arn_map.get(master_key_identifier,
master_key_identifier)
logger.info(f"Wrapping key. Master key identifier:
{master_key_identifier}")
logger.info(f"Key bytes length: {len(key_bytes)}")
logger.info(f"Key bytes to wrap: {key_bytes!r}")
key_arn = self.key_arn_map.get(master_key_identifier,
master_key_identifier)
logger.info(f"Using KMS key ARN: {key_arn}")
try:
response = self.kms_client.encrypt(
KeyId=key_arn,
Plaintext=key_bytes
)
ciphertext_blob = response['CiphertextBlob']
logger.info(f"Ciphertext blob: {ciphertext_blob}")
logger.info(f"Ciphertext blob type: {type(ciphertext_blob)}")
return ciphertext_blob
except Exception as e:
logger.error(f"Error wrapping key: {e}")
raise
def unwrap_key(self, wrapped_key, master_key_identifier):
key_arn = self.key_arn_map.get(master_key_identifier,
master_key_identifier)
logger.info(f"Unwrapping key. Master key identifier:
{master_key_identifier}")
logger.info(f"Initial wrapped key: {wrapped_key!r}") # Use !r to
see raw string representation
logger.info(f"Initial wrapped key type: {type(wrapped_key)}")
logger.info(f"Initial wrapped key length: {len(wrapped_key) if
wrapped_key else 0}")
if not wrapped_key:
logger.error("Wrapped key is empty. Skipping decryption.")
return b''
if isinstance(wrapped_key, str):
wrapped_key = wrapped_key.encode('utf-8')
logger.info(f"Final wrapped key: {wrapped_key!r}")
logger.info(f"Final wrapped key type: {type(wrapped_key)}")
logger.info(f"Final wrapped key length: {len(wrapped_key)}")
try:
response = self.kms_client.decrypt(
KeyId=key_arn,
CiphertextBlob=wrapped_key
)
plaintext = response['Plaintext']
logger.info(f"Plaintext key: {plaintext}")
return plaintext
except Exception as e:
logger.error(f"Error unwrapping key: {e}")
raise
def kms_factory(kms_connection_configuration, key_arn_map):
session = boto3.Session(
profile_name='some-profile', # Replace with your AWS profile
region_name='ap-southeast-1' # Replace with your AWS region
)
kms_client = session.client('kms')
return AwsKmsClient(kms_client, key_arn_map)
`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
