Last active
August 27, 2018 09:09
-
-
Save emanon-was/0efc81a1fd341cb17775fde82dc7ec0a to your computer and use it in GitHub Desktop.
KMSを使いファイルを暗号化して管理するためのMakefile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TMPDIR ?= /tmp | |
.PHONY := encrypt decrypt cmk dependencies | |
.DEFAULT_GOAL := dependencies | |
encrypt: dependencies | |
$(call exit_invalid_arguments,$(ENCRYPT_KEY),"$$USAGE_ENCRYPT") | |
$(call exit_invalid_arguments,$(ENCRYPT_SRC),"$$USAGE_ENCRYPT") | |
$(call exit_invalid_arguments,$(ENCRYPT_DST),"$$USAGE_ENCRYPT") | |
$(call exit_awscli_alias_not_exists,$(ENCRYPT_KEY)) | |
$(call exit_file_not_exists,$(ENCRYPT_SRC),"$$USAGE_ENCRYPT") | |
$(call exit_dir_not_exists ,$(ENCRYPT_DST),"$$USAGE_ENCRYPT") | |
$(eval BASENAME := $(notdir $(ENCRYPT_SRC))) | |
$(call exit_file_exists,"$(ENCRYPT_DST)/$(BASENAME)","cannot create directory") | |
$(eval ENCRYPTED_DIR := "$(TMPDIR)/kms/$(BASENAME)/encrypt") | |
$(eval DECRYPTED_DIR := "$(TMPDIR)/kms/$(BASENAME)/decrypt") | |
@mkdir -p $(ENCRYPTED_DIR) | |
@mkdir -p $(DECRYPTED_DIR) | |
@aws kms generate-data-key \ | |
--key-id $(ENCRYPT_KEY) \ | |
--key-spec AES_256 \ | |
--query CiphertextBlob \ | |
--output text \ | |
| base64 -d \ | |
> $(ENCRYPTED_DIR)/DataKey | |
@aws kms decrypt \ | |
--ciphertext-blob fileb://$(ENCRYPTED_DIR)/DataKey \ | |
--query Plaintext \ | |
--output text \ | |
> $(DECRYPTED_DIR)/DataKey | |
@openssl aes-256-cbc -e \ | |
-in $(ENCRYPT_SRC) \ | |
-out $(ENCRYPTED_DIR)/Data \ | |
-pass file:$(DECRYPTED_DIR)/DataKey | |
@rm -r $(DECRYPTED_DIR) | |
@mv -T $(ENCRYPTED_DIR) $(ENCRYPT_DST)/$(BASENAME) | |
decrypt: dependencies | |
$(call exit_invalid_arguments,$(DECRYPT_SRC),"$$USAGE_DECRYPT") | |
$(call exit_invalid_arguments,$(DECRYPT_DST),"$$USAGE_DECRYPT") | |
$(call exit_dir_not_exists,$(DECRYPT_SRC),"$$USAGE_DECRYPT") | |
$(call exit_dir_not_exists,$(DECRYPT_DST),"$$USAGE_DECRYPT") | |
$(eval BASENAME := $(notdir $(DECRYPT_SRC))) | |
$(call exit_file_exists,"$(DECRYPT_DST)/$(BASENAME)","cannot create file") | |
$(eval DECRYPTED_DIR := "$(TMPDIR)/kms/$(BASENAME)/decrypt") | |
@mkdir -p $(DECRYPTED_DIR) | |
@aws kms decrypt \ | |
--ciphertext-blob fileb://$(DECRYPT_SRC)/DataKey \ | |
--query Plaintext \ | |
--output text \ | |
> $(DECRYPTED_DIR)/DataKey | |
@openssl aes-256-cbc -d \ | |
-in $(DECRYPT_SRC)/Data \ | |
-out $(DECRYPTED_DIR)/Data \ | |
-pass file:$(DECRYPTED_DIR)/DataKey | |
@mv -T $(DECRYPTED_DIR)/Data $(DECRYPT_DST)/$(BASENAME) | |
@rm -r $(DECRYPTED_DIR) | |
cmk: | |
@$(awscli_list_aliases) | |
dependencies: | |
$(awscli_version) | |
$(openssl_version) | |
define awscli_version | |
@aws --version | |
endef | |
define openssl_version | |
@openssl version | |
endef | |
define awscli_list_aliases | |
aws kms list-aliases \ | |
--query "Aliases[*].AliasName" \ | |
--output table \ | |
| tr "\t" "\n" \ | |
| grep -v alias/aws | |
endef | |
define awscli_alias | |
aws kms list-aliases \ | |
--query "Aliases[*].AliasName" \ | |
--output text \ | |
| tr "\t" "\n" \ | |
| grep -v alias/aws | |
| grep $1 | |
endef | |
define exit_awscli_alias_not_exists | |
@if [ -z $(shell $(call awscli_alias,"$1")) ]; then \ | |
echo "[Failure] KMS aliase not exists : $1"; \ | |
$(awscli_list_aliases); \ | |
exit 1; \ | |
fi | |
endef | |
define exit_file_exists | |
@if [ -e $1 ]; then \ | |
echo "[Failure] File exists : $1"; \ | |
echo $2; \ | |
exit 1; \ | |
fi | |
endef | |
define exit_file_not_exists | |
@if [ ! -e $1 ] || [ ! -f $1 ]; then \ | |
echo "[Failure] File not exists : $1"; \ | |
echo $2; \ | |
exit 1; \ | |
fi | |
endef | |
define exit_dir_not_exists | |
@if [ ! -e $1 ] || [ ! -d $1 ]; then \ | |
echo "[Failure] Directory not exists : $1"; \ | |
echo $2; \ | |
exit 1; \ | |
fi | |
endef | |
define exit_invalid_arguments | |
@if [ -z $1 ]; then \ | |
echo "[Failure] Invalid Arguments"; \ | |
echo $2; \ | |
exit 1; \ | |
fi | |
endef | |
export USAGE_ENCRYPT | |
override define USAGE_ENCRYPT | |
> echo "I love AWS." > plain.txt | |
> mkdir encrypted | |
> make encrypt alias/xxxx plain.txt ./encrypted/ | |
> tree encrypted | |
encrypted | |
└── plain.txt | |
├── encrypted-data | |
└── encrypted-data-key | |
1 directory, 2 files | |
endef | |
export USAGE_DECRYPT | |
override define USAGE_DECRYPT | |
> tree encrypted | |
encrypted | |
└── plain.txt | |
├── encrypted-data | |
└── encrypted-data-key | |
1 directory, 2 files | |
> make decrypt ./encrypted/plain.txt/ . | |
> cat plain.txt | |
I love AWS. | |
endef | |
MAKEARGS := $(wordlist 2,$(words $(MAKECMDGOALS)),$(MAKECMDGOALS)) | |
ENCRYPT_KEY := $(word 1,$(MAKEARGS)) | |
ENCRYPT_SRC := $(realpath $(word 2,$(MAKEARGS))) | |
ENCRYPT_DST := $(realpath $(word 3,$(MAKEARGS))) | |
DECRYPT_SRC := $(realpath $(word 1,$(MAKEARGS))) | |
DECRYPT_DST := $(realpath $(word 2,$(MAKEARGS))) | |
$(eval $(MAKEARGS):;@:) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment