Skip to content

Instantly share code, notes, and snippets.

@geraldstanje geraldstanje/kms-vault forked from hassy/kms-vault
Created Mar 8, 2018

What would you like to do?
Encrypt/decrypt files using AWS KMS
#!/usr/bin/env bash
# License: MIT -
# Usage:
# Encrypt a file:
# kms-vault encrypt My-Key-Alias some-file-i-want-encrypted.txt > topsecret.asc
# Decrypt a file:
# kms-vault decrypt topsecret.asc
# Requirements: AWS CLI, jq
# Your AWS profile / default profile needs to have access to the KMS key you want to use
# and the kms:ListAliases permission.
set -eu -o pipefail
if [[ $command = "encrypt" ]]; then
key_info=$(aws kms list-aliases | jq -r ".Aliases[] | select(.AliasName | contains (\"$key_alias\"))")
echo "Using key:" 1>&2
echo "$key_info" | jq 1>&2
key_id=$(echo "$key_info" | jq -r .TargetKeyId)
aws kms encrypt --key-id "$key_id" --plaintext "fileb://$plaintext_path" --query CiphertextBlob --output text
exit 0
elif [[ $command = "decrypt" ]]; then
aws kms decrypt --ciphertext-blob fileb://<(cat $ciphertext_path | base64 --decode) --output text --query Plaintext | base64 --decode
exit 0
echo "Unknown command: $command"
exit 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.