Created
June 20, 2023 02:53
-
-
Save jamesmccann/34d0a83b1940d9e086e81a908e73d2d4 to your computer and use it in GitHub Desktop.
Wrap key for KMS manually
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Set in args | |
# TARGET_KEY= | |
# WRAPPING_KEY= | |
TEMP_AES_KEY=/tmp/TEMP_AES_KEY | |
WRAPPED_KEY=/tmp/WRAPPED_KEY | |
echo "WRAPPING_KEY: " ${WRAPPING_KEY}; \ | |
echo "TARGET_KEY: " ${TARGET_KEY}; \ | |
echo "TEMP_AES_KEY: " ${TEMP_AES_KEY}; \ | |
echo "WRAPPED_KEY: " ${WRAPPED_KEY} | |
read -p "Ready?" -n 1 -r | |
echo # (optional) move to a new line | |
if [[ $REPLY =~ ^[Yy]$ ]] | |
then | |
openssl rand -out "${TEMP_AES_KEY}" 32 | |
openssl pkeyutl \ | |
-encrypt \ | |
-pubin \ | |
-inkey ${WRAPPING_KEY} \ | |
-in ${TEMP_AES_KEY} \ | |
-out ${WRAPPED_KEY} \ | |
-pkeyopt rsa_padding_mode:oaep \ | |
-pkeyopt rsa_oaep_md:{sha1|sha256} \ | |
-pkeyopt rsa_mgf1_md:{sha1|sha256} | |
OPENSSL_V110="${HOME}/local/bin/openssl.sh" | |
"${OPENSSL_V110}" enc \ | |
-id-aes256-wrap-pad \ | |
-iv A65959A6 \ | |
-K $( hexdump -v -e '/1 "%02x"' < "${TEMP_AES_KEY}" ) \ | |
-in "${TARGET_KEY}" >> "${WRAPPED_KEY}" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment