I was playing with AWS KMS CLI and to some encryption and decryption. It took me a little while to get a reciprocal command pair to work. As a starter, here is what it looks like
$ aws kms encrypt --region eu-west-1 --key-id f627d4c3-926a-4188-8dc8-64114bd7d7ae --plaintext HiIAmPlaintext --output text --query CiphertextBlob | base64 --decode > ciphertext.txt
$ aws kms decrypt --region eu-west-1 --ciphertext-blob fileb://ciphertext.txt --output text --query Plaintext | base64 --decode<br> HiIAmPlaintext
By following the AWS manual it is not difficult to make sense of these commands, but noticing that there are Base64 decoding happening both in the encryption and decryption direction, it is a little odd.
The raw output of encrypt is in Base64, which is quite understandable and reasonable, as we often hope to copy-and-paste the result or transmit it over HTTP. But, why do we need to provide input in binary when doing decrypt? That causes the hassle of converting the encryption result into binary for later decryption use.