Skip to content

Instantly share code, notes, and snippets.

Last active Jun 18, 2020
What would you like to do?
Encrypt/decrypt files using AWS KMS
#!/usr/bin/env bash
# License: MIT -
# Usage:
# Encrypt a file:
# kms-vault encrypt My-Key-Alias some-file-i-want-encrypted.txt > topsecret.asc
# Decrypt a file:
# kms-vault decrypt topsecret.asc
# Requirements: AWS CLI, jq
# Your AWS profile / default profile needs to have access to the KMS key you want to use
# and the kms:ListAliases permission.
set -eu -o pipefail
if [[ $command = "encrypt" ]]; then
key_info=$(aws kms list-aliases | jq -r ".Aliases[] | select(.AliasName | contains (\"$key_alias\"))")
echo "Using key:" 1>&2
echo "$key_info" | jq 1>&2
key_id=$(echo "$key_info" | jq -r .TargetKeyId)
aws kms encrypt --key-id "$key_id" --plaintext "fileb://$plaintext_path" --query CiphertextBlob --output text
exit 0
elif [[ $command = "decrypt" ]]; then
aws kms decrypt --ciphertext-blob fileb://<(cat $ciphertext_path | base64 --decode) --output text --query Plaintext | base64 --decode
exit 0
echo "Unknown command: $command"
exit 1

This comment has been minimized.

Copy link

@jlis jlis commented Mar 19, 2019

Thanks for that nice snippet, saved me a ton of work.

One addition tho, since base64 --decode is not working on all distributions, I'd suggest switching to python -m base64 -d (we can expect Python to be installed because of the AWS CLI).

More information: promptworks/aws-secrets#14


This comment has been minimized.

Copy link
Owner Author

@hassy hassy commented Jul 26, 2019

Thanks @jlis & glad you found it useful! I hope Github implement notifications on Gists some time soon, I only just saw your comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment