Slakah/encrypt-decrypt-usage.sh

## encrypt-decrypt-usage.sh
# This guide outlines how to:
# 1. Generate a AWS KMS data key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys).
# 2. Encrypt a secret using the generated data key.
# 3. Decrypt the encrypted secret.


# generate a kms data key
aws kms generate-data-key-without-plaintext \
  --key-id <key-id> \
  --key-spec AES_256 \
  --output text --query CiphertextBlob | base64 -D > ./key.enc

# encrypt a secret using the generated key ciphertext, and enter your secret when required
./kms-encrypt.sh key.enc > secret

# decrypt the secret
./kms-decrypt.sh $(cat secret)

## kms-decrypt.sh
#!/bin/bash
set -ue -o pipefail

# Decrypt the supplied secret, by first decrypting the data key ciphertext using kms, then decrypt the secret ciphertext.
#
# Usage:
#   ./kms-encrypt <encrypted-secret>
#
# Note: this requires aws credentials to access the kms key used to encrypt this file.

readonly payload="$1"

# extract key, iv and ciphertext from supplied payload
readonly keyCiphertextB64=$(echo $payload | cut -d "." -f1)
readonly ivB64=$(echo $payload | cut -d "." -f2)
readonly ciphertextB64=$(echo $payload | cut -d "." -f3)

readonly keyCiphertextFile=$(mktemp)
echo $keyCiphertextB64 | base64 -D > $keyCiphertextFile

readonly toHex='xxd -p'
readonly key=$(aws kms decrypt --ciphertext-blob fileb://$keyCiphertextFile --output text --query Plaintext | base64 -D | $toHex | tr -d "[:space:]")
readonly iv=$(echo $ivB64 | base64 -D | $toHex | tr -d "[:space:]")

echo $ciphertextB64 | base64 -D | openssl enc -d -aes-256-cbc -K "$key" -iv "$iv" -in /dev/stdin -out /dev/stdout

## kms-encrypt.sh
#!/bin/bash
set -ue -o pipefail

# Encrypt the supplied secret, using an environment specific key.
# Secret is stored in the form <key-ciphertext-base64>.<iv-base64>.<ciphertext-base64>
#
# Usage:
#   ./kms-encrypt <kms-generated-data-key-file>
#
#   When prompted enter the plaintext to be encrypted.
#
# Note: this requires aws credentials to access the kms key used to encrypt the data key.

readonly keyCiphertextFile="$1"
read -s -p 'plaintext:' plaintext
echo

readonly toHex='xxd -p'
readonly key=$(aws kms decrypt --ciphertext-blob fileb://$keyCiphertextFile --output text --query Plaintext | base64 -D | $toHex | tr -d "[:space:]")
readonly ivB64=$(aws kms generate-random --number-of-bytes 16 --output text --query Plaintext)
readonly iv=$(echo $ivB64 | base64 -D | $toHex | tr -d "[:space:]")

readonly ciphertextFile=$(mktemp)

# encrypt the plaintext
echo $plaintext | openssl enc -aes-256-cbc -K "$key" -iv "$iv" -in /dev/stdin -out $ciphertextFile
# store key cipher, iv and ciphertext
readonly keyCiphertextB64=$(cat $keyCiphertextFile | base64)
echo "$keyCiphertextB64.$ivB64.$(cat $ciphertextFile | base64)"
rm $ciphertextFile
	# This guide outlines how to:
	# 1. Generate a AWS KMS data key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys).
	# 2. Encrypt a secret using the generated data key.
	# 3. Decrypt the encrypted secret.


	# generate a kms data key
	aws kms generate-data-key-without-plaintext \
	--key-id <key-id> \
	--key-spec AES_256 \
	--output text --query CiphertextBlob \| base64 -D > ./key.enc

	# encrypt a secret using the generated key ciphertext, and enter your secret when required
	./kms-encrypt.sh key.enc > secret

	# decrypt the secret
	./kms-decrypt.sh $(cat secret)
	#!/bin/bash
	set -ue -o pipefail

	# Decrypt the supplied secret, by first decrypting the data key ciphertext using kms, then decrypt the secret ciphertext.
	#
	# Usage:
	# ./kms-encrypt <encrypted-secret>
	#
	# Note: this requires aws credentials to access the kms key used to encrypt this file.

	readonly payload="$1"

	# extract key, iv and ciphertext from supplied payload
	readonly keyCiphertextB64=$(echo $payload \| cut -d "." -f1)
	readonly ivB64=$(echo $payload \| cut -d "." -f2)
	readonly ciphertextB64=$(echo $payload \| cut -d "." -f3)

	readonly keyCiphertextFile=$(mktemp)
	echo $keyCiphertextB64 \| base64 -D > $keyCiphertextFile

	readonly toHex='xxd -p'
	readonly key=$(aws kms decrypt --ciphertext-blob fileb://$keyCiphertextFile --output text --query Plaintext \| base64 -D \| $toHex \| tr -d "[:space:]")
	readonly iv=$(echo $ivB64 \| base64 -D \| $toHex \| tr -d "[:space:]")

	echo $ciphertextB64 \| base64 -D \| openssl enc -d -aes-256-cbc -K "$key" -iv "$iv" -in /dev/stdin -out /dev/stdout
	#!/bin/bash
	set -ue -o pipefail

	# Encrypt the supplied secret, using an environment specific key.
	# Secret is stored in the form <key-ciphertext-base64>.<iv-base64>.<ciphertext-base64>
	#
	# Usage:
	# ./kms-encrypt <kms-generated-data-key-file>
	#
	# When prompted enter the plaintext to be encrypted.
	#
	# Note: this requires aws credentials to access the kms key used to encrypt the data key.

	readonly keyCiphertextFile="$1"
	read -s -p 'plaintext:' plaintext
	echo

	readonly toHex='xxd -p'
	readonly key=$(aws kms decrypt --ciphertext-blob fileb://$keyCiphertextFile --output text --query Plaintext \| base64 -D \| $toHex \| tr -d "[:space:]")
	readonly ivB64=$(aws kms generate-random --number-of-bytes 16 --output text --query Plaintext)
	readonly iv=$(echo $ivB64 \| base64 -D \| $toHex \| tr -d "[:space:]")

	readonly ciphertextFile=$(mktemp)

	# encrypt the plaintext
	echo $plaintext \| openssl enc -aes-256-cbc -K "$key" -iv "$iv" -in /dev/stdin -out $ciphertextFile
	# store key cipher, iv and ciphertext
	readonly keyCiphertextB64=$(cat $keyCiphertextFile \| base64)
	echo "$keyCiphertextB64.$ivB64.$(cat $ciphertextFile \| base64)"
	rm $ciphertextFile