Last active
December 10, 2018 01:31
-
-
Save pwmcintyre/2631bf6abce7c7dcde51b54280fd8e94 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# message to en/decrypt | |
ORIGINAL_DATA="hello-world" | |
KEY_ALIAS="alias/example" | |
# AWS CLI bits | |
PROFILE_ENCRYPT=saml | |
PROFILE_DECRYPT=ASIAZF3IWVKQWIYJWJW7 | |
REGION=us-east-1 | |
# inspect key | |
KEY_ID=$(aws --profile $PROFILE_ENCRYPT --region $REGION kms describe-key --key-id $KEY_ALIAS --query KeyMetadata.Arn --output text) | |
aws --profile $PROFILE_ENCRYPT --region $REGION kms list-key-policies --key-id $KEY_ID | |
aws --profile $PROFILE_ENCRYPT --region $REGION kms get-key-policy --key-id $KEY_ID --policy-name default --query Policy --output text | |
# encrypt | |
echo $ORIGINAL_DATA | |
ENCRYPTED_DATA=$(\ | |
aws --profile $PROFILE_ENCRYPT --region $REGION \ | |
kms encrypt \ | |
--key-id $KEY_ALIAS \ | |
--plaintext ${ORIGINAL_DATA} \ | |
--query CiphertextBlob \ | |
--output text \ | |
) | |
echo $ENCRYPTED_DATA | |
# decrypt | |
# NOTE: this could be a different user/profile, as long as it has decrypt access to the key | |
DECRYPTED_DATA=$(\ | |
aws --profile $PROFILE_DECRYPT --region $REGION \ | |
kms decrypt \ | |
--ciphertext-blob fileb://<( echo $ENCRYPTED_DATA | base64 -D ) \ | |
--query Plaintext \ | |
--output text \ | |
| base64 -D | |
) | |
echo $DECRYPTED_DATA | |
# compare (no news is good news) | |
echo "diff:" | |
diff <(printf "$ORIGINAL_DATA") <(printf "$DECRYPTED_DATA") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment