jamesmccann/wrap-kms-key.sh

## wrap-kms-key.sh
# Set in args
# TARGET_KEY=
# WRAPPING_KEY=

TEMP_AES_KEY=/tmp/TEMP_AES_KEY
WRAPPED_KEY=/tmp/WRAPPED_KEY

echo "WRAPPING_KEY: " ${WRAPPING_KEY}; \
echo "TARGET_KEY: " ${TARGET_KEY}; \
echo "TEMP_AES_KEY: " ${TEMP_AES_KEY}; \
echo "WRAPPED_KEY: " ${WRAPPED_KEY}

read -p "Ready?" -n 1 -r
echo    # (optional) move to a new line
if [[ $REPLY =~ ^[Yy]$ ]]
then
  openssl rand -out "${TEMP_AES_KEY}" 32

  openssl pkeyutl \
    -encrypt \
    -pubin \
    -inkey ${WRAPPING_KEY} \
    -in ${TEMP_AES_KEY} \
    -out ${WRAPPED_KEY} \
    -pkeyopt rsa_padding_mode:oaep \
    -pkeyopt rsa_oaep_md:{sha1|sha256} \
    -pkeyopt rsa_mgf1_md:{sha1|sha256}

  OPENSSL_V110="${HOME}/local/bin/openssl.sh"

  "${OPENSSL_V110}" enc \
    -id-aes256-wrap-pad \
    -iv A65959A6 \
    -K $( hexdump -v -e '/1 "%02x"' < "${TEMP_AES_KEY}" ) \
    -in "${TARGET_KEY}" >> "${WRAPPED_KEY}"
fi
	# Set in args
	# TARGET_KEY=
	# WRAPPING_KEY=

	TEMP_AES_KEY=/tmp/TEMP_AES_KEY
	WRAPPED_KEY=/tmp/WRAPPED_KEY

	echo "WRAPPING_KEY: " ${WRAPPING_KEY}; \
	echo "TARGET_KEY: " ${TARGET_KEY}; \
	echo "TEMP_AES_KEY: " ${TEMP_AES_KEY}; \
	echo "WRAPPED_KEY: " ${WRAPPED_KEY}

	read -p "Ready?" -n 1 -r
	echo # (optional) move to a new line
	if [[ $REPLY =~ ^[Yy]$ ]]
	then
	openssl rand -out "${TEMP_AES_KEY}" 32

	openssl pkeyutl \
	-encrypt \
	-pubin \
	-inkey ${WRAPPING_KEY} \
	-in ${TEMP_AES_KEY} \
	-out ${WRAPPED_KEY} \
	-pkeyopt rsa_padding_mode:oaep \
	-pkeyopt rsa_oaep_md:{sha1\|sha256} \
	-pkeyopt rsa_mgf1_md:{sha1\|sha256}

	OPENSSL_V110="${HOME}/local/bin/openssl.sh"

	"${OPENSSL_V110}" enc \
	-id-aes256-wrap-pad \
	-iv A65959A6 \
	-K $( hexdump -v -e '/1 "%02x"' < "${TEMP_AES_KEY}" ) \
	-in "${TARGET_KEY}" >> "${WRAPPED_KEY}"
	fi