-
-
Save Sam-Martin/1955ac4ef3972bb9e8a8 to your computer and use it in GitHub Desktop.
| # Stolen from http://ctrlf5.net/?p=263 and http://www.dailycoding.com/posts/convert_image_to_base64_string_and_base64_string_to_image.aspx | |
| function ConvertFrom-StringToMemoryStream{ | |
| param( | |
| [parameter(Mandatory)] | |
| [string]$InputString | |
| ) | |
| $stream = New-Object System.IO.MemoryStream; | |
| $writer = New-Object System.IO.StreamWriter($stream); | |
| $writer.Write($InputString); | |
| $writer.Flush(); | |
| return $stream | |
| } | |
| function ConvertFrom-Base64toMemoryStream{ | |
| param( | |
| [parameter(Mandatory)] | |
| [string]$Base64Input | |
| ) | |
| [byte[]]$bytearray = [System.Convert]::FromBase64String($Base64Input) | |
| $stream = New-Object System.IO.MemoryStream($bytearray,0,$bytearray.Length) | |
| return $stream | |
| } | |
| function ConvertFrom-StreamToBase64{ | |
| param( | |
| [parameter(Mandatory)] | |
| [System.IO.MemoryStream]$inputStream | |
| ) | |
| $reader = New-Object System.IO.StreamReader($inputStream); | |
| $inputStream.Position = 0; | |
| return [System.Convert]::ToBase64String($inputStream.ToArray()) | |
| } | |
| function ConvertFrom-StreamToString{ | |
| param( | |
| [parameter(Mandatory)] | |
| [System.IO.MemoryStream]$inputStream | |
| ) | |
| $reader = New-Object System.IO.StreamReader($inputStream); | |
| $inputStream.Position = 0; | |
| return $reader.ReadToEnd() | |
| } | |
| # Example | |
| $input = "Tes123123t" | |
| $keyID = "c1d0d2ff-0aba-4e34-ad4b-9fcce153bc58" | |
| $EncryptedFilePath = "$env:temp\EncryptedBase64.secret" | |
| # Get the enrcrypted stream from Amazon | |
| $EncryptedOuput = (Invoke-KMSEncrypt -KeyId $keyID -Plaintext $(ConvertFrom-StringToMemoryStream $input) -region us-east-1) | |
| # Convert it to Base64 so we can write it to a file | |
| $EncryptedBase64 = ConvertFrom-StreamToBase64 -inputStream $EncryptedOuput.CiphertextBlob | |
| Set-Content -Path $EncryptedFilePath -Value $EncryptedBase64 -Force | |
| # Decrypt the secret from the file | |
| $DecryptedOutputStream = Invoke-KMSDecrypt -CiphertextBlob $(ConvertFrom-Base64toMemoryStream -Base64Input $(Get-Content $EncryptedFilePath)) -region us-east-1 | |
| # Convert the decrypted stream to a strimg | |
| $DecryptedOutput = ConvertFrom-StreamToString -inputStream $DecryptedOutputStream.Plaintext | |
| Write-Host ("Decrypted Output: $DecryptedOutput") |
Thanks for this. I'm sitting in an AWS Summit class right now and this is far more clear than the examples they are providing.
Thanks a lot for your code
How can I import Invoke-KMSEncrypt ? Currently, I am getting error as not recognized for this.
Sorry, if its a silly question but I am beginner in scripting.
Refer http://docs.aws.amazon.com/powershell/latest/userguide/aws-pst-ug.pdf on how to get Invoke-KMSEncrypt
When I tried running this $input was a reserved variable so it would error out. If you're trying to run through this change to $inputstr or something else!
Thank you so much, I was able to make it work. Why is it so complicated?
Anyway, you made my day!
I would also like to share this link: https://fitch.tech/2019/05/29/aws-lambda-for-powershell-encrypted-environment-variables/
This seems to be a "shorter" way to do it, although, my PS skills are limited, and I was not able to pass the Key ID to that new KMS instance. I know how to pass it to the standard C# constructor, but was not able to with PowerShell.
Cheers
Thank you. You are right, this is way too complicated