{"id":23308,"library":"aws-encryption-sdk-cli","title":"AWS Encryption SDK CLI","description":"Command line tool for encrypting and decrypting files and directories using the AWS Encryption SDK. Current version: 4.3.0. Release cadence: irregular, major versions follow AWS Encryption SDK updates.","status":"active","version":"4.3.0","language":"python","source_language":"en","source_url":"https://github.com/aws/aws-encryption-sdk-cli","tags":["encryption","aws","cli","security","kms"],"install":[{"cmd":"pip install aws-encryption-sdk-cli","lang":"bash","label":"Install from PyPI"}],"dependencies":[{"reason":"Core dependency, provides the encryption/decryption operations","package":"aws-encryption-sdk","optional":false},{"reason":"Required for AWS KMS integration and credential resolution","package":"boto3","optional":false}],"imports":[{"note":"The CLI does not expose a Python API for direct import; use subprocess or the provided entry points.","wrong":"from aws_encryption_sdk_cli import encrypt","symbol":"encrypt_file","correct":"from aws_encryption_sdk_cli import encrypt_file"}],"quickstart":{"code":"# Encrypt a file with a KMS key\n# Replace KEY_ARN and INPUT_FILE with your values\naws-encryption-sdk-cli encrypt --input /path/to/plaintext --output /path/to/ciphertext --master-keys key=arn:aws:kms:us-east-1:123456789012:key/abc123\n\n# Decrypt the file\naws-encryption-sdk-cli decrypt --input /path/to/ciphertext --output /path/to/plaintext\n","lang":"bash","description":"Basic encrypt/decrypt commands using AWS KMS. Requires AWS credentials configured."},"warnings":[{"fix":"Use aws-encryption-sdk-cli v3.x for backward compatibility, or re-encrypt data using new CLI.","message":"Version 4.0.0+ changed the CLI interface: removed --encode and --decode flags; encryption format changed to AWS Encryption SDK 2.0+ (message format v2). Existing encrypted data from v1.x SDK will not be decryptable unless migration steps are taken.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Replace --master-keys with --wrapping-keys in commands.","message":"The --master-keys flag is deprecated in favor of --wrapping-keys in v4.x. Old flag still works but may be removed.","severity":"deprecated","affected_versions":">=4.0.0"},{"fix":"Ensure output directory exists and use a unique filename to avoid accidental overwrites.","message":"The CLI tool requires write permissions to the output directory. If output file exists, it will be overwritten without warning.","severity":"gotcha","affected_versions":"all"},{"fix":"For large files, use streaming options or split files before encryption.","message":"When using --input and --output for directories, the CLI encrypts/decrypts each file individually and preserves directory structure. However, files larger than available memory may fail because the SDK buffers entire files.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-05-01T00:00:00.000Z","next_check":"2026-07-30T00:00:00.000Z","problems":[{"fix":"Use correct format: --master-keys key=arn:aws:kms:... (no space around '=')","cause":"Missing colon or incorrect format in --master-keys key=value pair. For example, 'key=arn:...' without quotes or using space instead of '='.","error":"aws-encryption-sdk-cli: error: argument --master-keys: expected one argument"},{"fix":"Create the output directory and verify write permissions: mkdir -p /output/dir","cause":"Output directory does not exist or the process lacks write permissions.","error":"ERROR: Unable to write to output file..."},{"fix":"Use decrypt subcommand without --decode. E.g., 'aws-encryption-sdk-cli decrypt --input ...'","cause":"Using old CLI flags from v1.x or v2.x. The --decode flag was removed in v4.0.0.","error":"aws-encryption-sdk-cli: error: unrecognized arguments: --decode"},{"fix":"Configure AWS credentials via environment variables, ~/.aws/credentials, or IAM role.","cause":"AWS credentials not configured. CLI requires valid AWS credentials for KMS operations.","error":"botocore.exceptions.NoCredentialsError: Unable to locate credentials"}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}