1

When a Windows instance is created in AWS, its password is encrypted using the public part of an SSH key.

It's then possible to use the following command to retrieve the encrypted password:

 aws ec2 get-password-data --instance-id=i-0a5102eb55ed6e0b9

(See https://docs.aws.amazon.com/cli/latest/reference/ec2/get-password-data.html#examples)

The command returns the following data:

{
    "InstanceId": "i-0a5102eb55ed6e0b9",
    "Timestamp": "2019-11-04T12:21:30.000Z",
    "PasswordData": "\r\nbase64_data==\r\n"
}

The encrypted password data is base64 encoded, but it's possible to decrypt the "PasswordData" field if you have the private part of the SSH key:

echo "base64_data" | base64 --decode | openssl rsautl -decrypt -inkey "./path_to_private_ssh_key"

(See Github repo example at https://github.com/tomrittervg/decrypt-windows-ec2-passwd/blob/master/decrypt-windows-ec2-passwd.sh)

This works fine, however, I use a Nitrokey Professional to store my private key and I can't see a way to tell the openssl command to use the GPG card to decrypt the data. I'd like to keep private keys off my disk if possible.

For reference, to get the public key into AWS, I exported the public key in the correct SSH format for AWS using the gpg --export-ssh-key nameofuser@example.com command.

Is there a way to decrypt the data using the card?

a-h
  • 111
  • 3

1 Answers1

2

On Linux, I've not found a GPG-based equivalent, but you can use the PKCS#11 interface to accomplish this. I have a similar setup using a Yubikey and documented the process, but the tl;dr is:

  1. Load the key into the PKCS#11 area of your key. In Yubikey that's the PIV, for Nitrokey you'd want to make sure you have hardware that supports PKCS#11. On a Yubikey, you cannot use on-device key generation, so you'd want to use an airgapped machine to generate the key, then load the key as appropriate.
  2. Use pkcs11-tool to perform the decryption. On Linux I generally have to remove/reinsert my device, otherwise pkcs11-tool loses to the lock gpg-agent puts on my card after I've used it once.

The relevant commands to decrypt look like the following:

aws ec2 get-password-data --instance-id <blah> --query PasswordData --output text| base64 -d > encrypted-adminpass.bin
pkcs11-tool --decrypt -v -l --input-file encrypted-adminpass.bin -m RSA-PKCS
Emil Lerch
  • 143
  • 1
  • 7