Create a gist now

Instantly share code, notes, and snippets.

@hassy /kms-vault
Last active Jul 18, 2017

What would you like to do?
Encrypt/decrypt files using AWS KMS
#!/usr/bin/env bash
# License: MIT - https://opensource.org/licenses/MIT
#
# Usage:
#
# Encrypt a file:
# kms-vault encrypt My-Key-Alias some-file-i-want-encrypted.txt > topsecret.asc
#
# Decrypt a file:
# kms-vault decrypt topsecret.asc
#
#
# Requirements: AWS CLI, jq
#
# Your AWS profile / default profile needs to have access to the KMS key you want to use
# and the kms:ListAliases permission.
#
set -eu -o pipefail
command=$1
if [[ $command = "encrypt" ]]; then
key_alias="$2"
key_info=$(aws kms list-aliases | jq -r ".Aliases[] | select(.AliasName | contains (\"$key_alias\"))")
echo "Using key:" 1>&2
echo "$key_info" | jq 1>&2
key_id=$(echo "$key_info" | jq -r .TargetKeyId)
plaintext_path="$3"
aws kms encrypt --key-id "$key_id" --plaintext "fileb://$plaintext_path" --query CiphertextBlob --output text
exit 0
elif [[ $command = "decrypt" ]]; then
ciphertext_path="$2"
aws kms decrypt --ciphertext-blob fileb://<(cat $ciphertext_path | base64 --decode) --output text --query Plaintext | base64 --decode
exit 0
else
echo "Unknown command: $command"
exit 1
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment