We're using the AWS Encryption SDK to encrypt and decrypt text in a Java application. Until now, both the encrypting component and the decrypting component used SDK v1.6.1. After a major version upgrade on the decrypting component, encryption is done with SDK v1.6.1 but decryption is done with SDK v2.4.0.
The decryption is now broken with the following exception
Caused by: com.amazonaws.encryptionsdk.exception.CannotUnwrapDataKeyException: Unable to decrypt any data keys
The first thing that comes to my mind is that text encrypted with v1.6.1 can't be decrypted by v2.4.0 but I haven't been able to find any documentation clearly stating this.
Any help is appreciated. Thank you.
The encryption SDK v1.6.1 accepts multi-region keys in KmsMasterKeyProvider for encryption and decryption. Starting with v1.7.0, the multi-region keys are not supported by default in the KmsMasterKeyProvider implementation. The solution is to replace KmsMasterKeyProvider with AwsKmsMrkAwareMasterKeyProvider, the class dedicated to multi-region keys.