Created
July 11, 2017 14:25
-
-
Save vovandodev/213fd613edd97945f6fc7727cb9355e5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Encrypt the Chef User’s Private Key | |
Chef Server uses public key cryptography to authenticate API requests. This requires the client to sign a hash of requests using a valid private key. In this example, we’ll use KMS to encrypt a copy of our Chef Server certificate (with its associated private key) and then decrypt it on the fly with the Lambda function as needed. This allows us to safely store our Chef Server credentials at rest in encrypted form without the risk of unauthorized users discovering the decryption key needed to access the credentials. | |
Create a customer master key (CMK) in KMS and note the keyId that is automatically generated. Make sure the IAM user you want to use for encrypted the Chef Server certificate and the Lambda role created in the previous section are added as a key users in KMS. Your IAM user needs kms.encrypt permissions to encrypt the certificate, while your Lambda user (via an IAM role) needs kms.decrypt permissions at runtime to access the certificate. | |
Encrypt your Chef Server certificate with the CMK you created in step 1. For example, using the AWS CLI tools, type the command: | |
aws kms encrypt --key-id KEY_ID_FROM_STEP_1 –plaintext | |
file://your_private_key.pem | |
3. You will receive a response with a CiphertextBlob if successful. An example of a successful response will look like this: | |
{ | |
"KeyId": "arn:aws:kms:us-east-1:123456789000:key/14d2aba8- | |
5142-4612-a836-7cf17284c8fd", | |
"CiphertextBlob": | |
"CiCgJ6/K9CIXrDdsJ1fES7kBIJ0STEn+VwpMBjzsHVnH2xKQAQEBAgB4oCevyvQi | |
F6w3bCdXxEu5ASCdEkxJ/lcKTAY87B1Zx9sAAABnMGUGCSqGSIb3DQEHBqBYMFYCA | |
QAwUQYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAyk4nsWzRAWTiU4syoCARCAJD | |
HOtYNdSYI6wlso8SgATXKJ0WF5s3qhLcVqMKxaTOO3bCI6Lw==" | |
} | |
4. Copy this CiphertextBlob into a new file and store it in the same directory as the Lambda function; this is required so it can be packaged up with the function itself. I’ve used encrypted_pem.txt as the file name in my example, given the encrypted object is a certificate and private key, which is commonly name with the .pem file extension. Note the CiphertextBlob output is base64 encoded by the AWS CLI unless you send the output to a binary file using the fileb:// parameter. See the AWS KMS CLI help for more information on input and output encoding. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment