Skip to content

Instantly share code, notes, and snippets.

@emanon-was
Last active August 27, 2018 09:09
Show Gist options
  • Save emanon-was/0efc81a1fd341cb17775fde82dc7ec0a to your computer and use it in GitHub Desktop.
Save emanon-was/0efc81a1fd341cb17775fde82dc7ec0a to your computer and use it in GitHub Desktop.
KMSを使いファイルを暗号化して管理するためのMakefile
TMPDIR ?= /tmp
.PHONY := encrypt decrypt cmk dependencies
.DEFAULT_GOAL := dependencies
encrypt: dependencies
$(call exit_invalid_arguments,$(ENCRYPT_KEY),"$$USAGE_ENCRYPT")
$(call exit_invalid_arguments,$(ENCRYPT_SRC),"$$USAGE_ENCRYPT")
$(call exit_invalid_arguments,$(ENCRYPT_DST),"$$USAGE_ENCRYPT")
$(call exit_awscli_alias_not_exists,$(ENCRYPT_KEY))
$(call exit_file_not_exists,$(ENCRYPT_SRC),"$$USAGE_ENCRYPT")
$(call exit_dir_not_exists ,$(ENCRYPT_DST),"$$USAGE_ENCRYPT")
$(eval BASENAME := $(notdir $(ENCRYPT_SRC)))
$(call exit_file_exists,"$(ENCRYPT_DST)/$(BASENAME)","cannot create directory")
$(eval ENCRYPTED_DIR := "$(TMPDIR)/kms/$(BASENAME)/encrypt")
$(eval DECRYPTED_DIR := "$(TMPDIR)/kms/$(BASENAME)/decrypt")
@mkdir -p $(ENCRYPTED_DIR)
@mkdir -p $(DECRYPTED_DIR)
@aws kms generate-data-key \
--key-id $(ENCRYPT_KEY) \
--key-spec AES_256 \
--query CiphertextBlob \
--output text \
| base64 -d \
> $(ENCRYPTED_DIR)/DataKey
@aws kms decrypt \
--ciphertext-blob fileb://$(ENCRYPTED_DIR)/DataKey \
--query Plaintext \
--output text \
> $(DECRYPTED_DIR)/DataKey
@openssl aes-256-cbc -e \
-in $(ENCRYPT_SRC) \
-out $(ENCRYPTED_DIR)/Data \
-pass file:$(DECRYPTED_DIR)/DataKey
@rm -r $(DECRYPTED_DIR)
@mv -T $(ENCRYPTED_DIR) $(ENCRYPT_DST)/$(BASENAME)
decrypt: dependencies
$(call exit_invalid_arguments,$(DECRYPT_SRC),"$$USAGE_DECRYPT")
$(call exit_invalid_arguments,$(DECRYPT_DST),"$$USAGE_DECRYPT")
$(call exit_dir_not_exists,$(DECRYPT_SRC),"$$USAGE_DECRYPT")
$(call exit_dir_not_exists,$(DECRYPT_DST),"$$USAGE_DECRYPT")
$(eval BASENAME := $(notdir $(DECRYPT_SRC)))
$(call exit_file_exists,"$(DECRYPT_DST)/$(BASENAME)","cannot create file")
$(eval DECRYPTED_DIR := "$(TMPDIR)/kms/$(BASENAME)/decrypt")
@mkdir -p $(DECRYPTED_DIR)
@aws kms decrypt \
--ciphertext-blob fileb://$(DECRYPT_SRC)/DataKey \
--query Plaintext \
--output text \
> $(DECRYPTED_DIR)/DataKey
@openssl aes-256-cbc -d \
-in $(DECRYPT_SRC)/Data \
-out $(DECRYPTED_DIR)/Data \
-pass file:$(DECRYPTED_DIR)/DataKey
@mv -T $(DECRYPTED_DIR)/Data $(DECRYPT_DST)/$(BASENAME)
@rm -r $(DECRYPTED_DIR)
cmk:
@$(awscli_list_aliases)
dependencies:
$(awscli_version)
$(openssl_version)
define awscli_version
@aws --version
endef
define openssl_version
@openssl version
endef
define awscli_list_aliases
aws kms list-aliases \
--query "Aliases[*].AliasName" \
--output table \
| tr "\t" "\n" \
| grep -v alias/aws
endef
define awscli_alias
aws kms list-aliases \
--query "Aliases[*].AliasName" \
--output text \
| tr "\t" "\n" \
| grep -v alias/aws
| grep $1
endef
define exit_awscli_alias_not_exists
@if [ -z $(shell $(call awscli_alias,"$1")) ]; then \
echo "[Failure] KMS aliase not exists : $1"; \
$(awscli_list_aliases); \
exit 1; \
fi
endef
define exit_file_exists
@if [ -e $1 ]; then \
echo "[Failure] File exists : $1"; \
echo $2; \
exit 1; \
fi
endef
define exit_file_not_exists
@if [ ! -e $1 ] || [ ! -f $1 ]; then \
echo "[Failure] File not exists : $1"; \
echo $2; \
exit 1; \
fi
endef
define exit_dir_not_exists
@if [ ! -e $1 ] || [ ! -d $1 ]; then \
echo "[Failure] Directory not exists : $1"; \
echo $2; \
exit 1; \
fi
endef
define exit_invalid_arguments
@if [ -z $1 ]; then \
echo "[Failure] Invalid Arguments"; \
echo $2; \
exit 1; \
fi
endef
export USAGE_ENCRYPT
override define USAGE_ENCRYPT
> echo "I love AWS." > plain.txt
> mkdir encrypted
> make encrypt alias/xxxx plain.txt ./encrypted/
> tree encrypted
encrypted
└── plain.txt
├── encrypted-data
└── encrypted-data-key
1 directory, 2 files
endef
export USAGE_DECRYPT
override define USAGE_DECRYPT
> tree encrypted
encrypted
└── plain.txt
├── encrypted-data
└── encrypted-data-key
1 directory, 2 files
> make decrypt ./encrypted/plain.txt/ .
> cat plain.txt
I love AWS.
endef
MAKEARGS := $(wordlist 2,$(words $(MAKECMDGOALS)),$(MAKECMDGOALS))
ENCRYPT_KEY := $(word 1,$(MAKEARGS))
ENCRYPT_SRC := $(realpath $(word 2,$(MAKEARGS)))
ENCRYPT_DST := $(realpath $(word 3,$(MAKEARGS)))
DECRYPT_SRC := $(realpath $(word 1,$(MAKEARGS)))
DECRYPT_DST := $(realpath $(word 2,$(MAKEARGS)))
$(eval $(MAKEARGS):;@:)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment