Last active
January 4, 2020 20:40
-
-
Save Slakah/2c6949b394ec9a0b2c2b89a0a480bc27 to your computer and use it in GitHub Desktop.
Encrypt plaintext using an kms encrypted data key, and the inverse decrypt is also supported.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This guide outlines how to: | |
# 1. Generate a AWS KMS data key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys). | |
# 2. Encrypt a secret using the generated data key. | |
# 3. Decrypt the encrypted secret. | |
# generate a kms data key | |
aws kms generate-data-key-without-plaintext \ | |
--key-id <key-id> \ | |
--key-spec AES_256 \ | |
--output text --query CiphertextBlob | base64 -D > ./key.enc | |
# encrypt a secret using the generated key ciphertext, and enter your secret when required | |
./kms-encrypt.sh key.enc > secret | |
# decrypt the secret | |
./kms-decrypt.sh $(cat secret) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -ue -o pipefail | |
# Decrypt the supplied secret, by first decrypting the data key ciphertext using kms, then decrypt the secret ciphertext. | |
# | |
# Usage: | |
# ./kms-encrypt <encrypted-secret> | |
# | |
# Note: this requires aws credentials to access the kms key used to encrypt this file. | |
readonly payload="$1" | |
# extract key, iv and ciphertext from supplied payload | |
readonly keyCiphertextB64=$(echo $payload | cut -d "." -f1) | |
readonly ivB64=$(echo $payload | cut -d "." -f2) | |
readonly ciphertextB64=$(echo $payload | cut -d "." -f3) | |
readonly keyCiphertextFile=$(mktemp) | |
echo $keyCiphertextB64 | base64 -D > $keyCiphertextFile | |
readonly toHex='xxd -p' | |
readonly key=$(aws kms decrypt --ciphertext-blob fileb://$keyCiphertextFile --output text --query Plaintext | base64 -D | $toHex | tr -d "[:space:]") | |
readonly iv=$(echo $ivB64 | base64 -D | $toHex | tr -d "[:space:]") | |
echo $ciphertextB64 | base64 -D | openssl enc -d -aes-256-cbc -K "$key" -iv "$iv" -in /dev/stdin -out /dev/stdout |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -ue -o pipefail | |
# Encrypt the supplied secret, using an environment specific key. | |
# Secret is stored in the form <key-ciphertext-base64>.<iv-base64>.<ciphertext-base64> | |
# | |
# Usage: | |
# ./kms-encrypt <kms-generated-data-key-file> | |
# | |
# When prompted enter the plaintext to be encrypted. | |
# | |
# Note: this requires aws credentials to access the kms key used to encrypt the data key. | |
readonly keyCiphertextFile="$1" | |
read -s -p 'plaintext:' plaintext | |
echo | |
readonly toHex='xxd -p' | |
readonly key=$(aws kms decrypt --ciphertext-blob fileb://$keyCiphertextFile --output text --query Plaintext | base64 -D | $toHex | tr -d "[:space:]") | |
readonly ivB64=$(aws kms generate-random --number-of-bytes 16 --output text --query Plaintext) | |
readonly iv=$(echo $ivB64 | base64 -D | $toHex | tr -d "[:space:]") | |
readonly ciphertextFile=$(mktemp) | |
# encrypt the plaintext | |
echo $plaintext | openssl enc -aes-256-cbc -K "$key" -iv "$iv" -in /dev/stdin -out $ciphertextFile | |
# store key cipher, iv and ciphertext | |
readonly keyCiphertextB64=$(cat $keyCiphertextFile | base64) | |
echo "$keyCiphertextB64.$ivB64.$(cat $ciphertextFile | base64)" | |
rm $ciphertextFile |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment