Skip to content

Instantly share code, notes, and snippets.

@hassy hassy/kms-vault
Last active Aug 23, 2019

Embed
What would you like to do?
Encrypt/decrypt files using AWS KMS
#!/usr/bin/env bash
# License: MIT - https://opensource.org/licenses/MIT
#
# Usage:
#
# Encrypt a file:
# kms-vault encrypt My-Key-Alias some-file-i-want-encrypted.txt > topsecret.asc
#
# Decrypt a file:
# kms-vault decrypt topsecret.asc
#
#
# Requirements: AWS CLI, jq
#
# Your AWS profile / default profile needs to have access to the KMS key you want to use
# and the kms:ListAliases permission.
#
set -eu -o pipefail
command=$1
if [[ $command = "encrypt" ]]; then
key_alias="$2"
key_info=$(aws kms list-aliases | jq -r ".Aliases[] | select(.AliasName | contains (\"$key_alias\"))")
echo "Using key:" 1>&2
echo "$key_info" | jq 1>&2
key_id=$(echo "$key_info" | jq -r .TargetKeyId)
plaintext_path="$3"
aws kms encrypt --key-id "$key_id" --plaintext "fileb://$plaintext_path" --query CiphertextBlob --output text
exit 0
elif [[ $command = "decrypt" ]]; then
ciphertext_path="$2"
aws kms decrypt --ciphertext-blob fileb://<(cat $ciphertext_path | base64 --decode) --output text --query Plaintext | base64 --decode
exit 0
else
echo "Unknown command: $command"
exit 1
fi
@jlis

This comment has been minimized.

Copy link

jlis commented Mar 19, 2019

Thanks for that nice snippet, saved me a ton of work.

One addition tho, since base64 --decode is not working on all distributions, I'd suggest switching to python -m base64 -d (we can expect Python to be installed because of the AWS CLI).

More information: promptworks/aws-secrets#14

@hassy

This comment has been minimized.

Copy link
Owner Author

hassy commented Jul 26, 2019

Thanks @jlis & glad you found it useful! I hope Github implement notifications on Gists some time soon, I only just saw your comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.