Giters

AWSToolbox / kms-vault

A script for managing secrets encrypted / decrypted via AWS KMS.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

wolfsoftwareencryption-decryptionawsaws-kmssecuritysecurity-tools

AWSToolbox logo
Github Build Status Release Commits since release

Overview

A bash script for managing secrets encrypted / decrypted via AWS KMS. This script is designed for encrypting things like yaml keys or other small pieces of data.

Limitations

There is 4K limit with regards to KMS encryption so do not use it for encrypting large files.

If you need to encrypt large files then use something like gpg or openssl and use this script to protect the private key.

We won't detail how to use gpg or any other tools for file encryption here, most methods will create a public and private key, and you can use this tool to protect that private key.

Usage

Usage: kms-vault.sh [ -hdel ] [ -k key alias ] [ -f input filename ] [ -o output filename ]
  -h    : Print this screen
  -d    : decrypt a given file
  -e    : encrypt a given file
  -f    : The name of the name to encrypt
  -k    : The alias for the key to encrypt with
  -l    : List the available KSM key aliases/names
  -o    : Name of the output file

The script has 3 operating modes:

  1. List available KMS keys
  2. Encrypt a file
  3. Decrypt a file

List Keys

./kms-vault.sh -l

Available Aliases:
1. alias/puppet

The alias name is used when encrypting the file contents. Not ALL KSM keys are listed, the script will not use a key which is AWS managed or any key which doesnt have a TargetKeyId attribute.

It is also possible that attempts to use certain keys might well be meet with the following error:

An error occurred (AccessDeniedException) when calling the Encrypt operation: <truncated output>

This is due to IAM restrictions to the key you are attempting to use, this normally happens with AWS managed keys like S3 and RDS which is why the script excludes them, but may also occur if you have set the access permissions to your custom key to be to restrictive.

You are required to create your own KMS keys for encryption/decryption purposes. (A tool for creating this will be released shortly and the link placed here).

Encrypt File

./kms-vault.sh -e -f <input file> -k <key alias> -o <output file>

The output from the script will be a long base64 encoded string, the output can be redirected to a file (an output file option is on the todo list)

Decrypt File

./kms-vault.sh -d -f <input file> -o <output file>

The output from the script will be the decrypted contains of the file, the output can be redirected to a file (an output file option is on the todo list)

About

A script for managing secrets encrypted / decrypted via AWS KMS.

wolfsoftwareencryption-decryptionawsaws-kmssecuritysecurity-tools

License:MIT License

Languages

Language:Shell 100.0%