Skip to content

Instantly share code, notes, and snippets.

@Sam-Martin
Last active June 16, 2020 17:53
Show Gist options
  • Save Sam-Martin/1955ac4ef3972bb9e8a8 to your computer and use it in GitHub Desktop.
Save Sam-Martin/1955ac4ef3972bb9e8a8 to your computer and use it in GitHub Desktop.
PowerShell Example for using Invoke-KMSEncrypt and Invoke-KMSDecrypt
# Stolen from http://ctrlf5.net/?p=263 and http://www.dailycoding.com/posts/convert_image_to_base64_string_and_base64_string_to_image.aspx
function ConvertFrom-StringToMemoryStream{
param(
[parameter(Mandatory)]
[string]$InputString
)
$stream = New-Object System.IO.MemoryStream;
$writer = New-Object System.IO.StreamWriter($stream);
$writer.Write($InputString);
$writer.Flush();
return $stream
}
function ConvertFrom-Base64toMemoryStream{
param(
[parameter(Mandatory)]
[string]$Base64Input
)
[byte[]]$bytearray = [System.Convert]::FromBase64String($Base64Input)
$stream = New-Object System.IO.MemoryStream($bytearray,0,$bytearray.Length)
return $stream
}
function ConvertFrom-StreamToBase64{
param(
[parameter(Mandatory)]
[System.IO.MemoryStream]$inputStream
)
$reader = New-Object System.IO.StreamReader($inputStream);
$inputStream.Position = 0;
return [System.Convert]::ToBase64String($inputStream.ToArray())
}
function ConvertFrom-StreamToString{
param(
[parameter(Mandatory)]
[System.IO.MemoryStream]$inputStream
)
$reader = New-Object System.IO.StreamReader($inputStream);
$inputStream.Position = 0;
return $reader.ReadToEnd()
}
# Example
$input = "Tes123123t"
$keyID = "c1d0d2ff-0aba-4e34-ad4b-9fcce153bc58"
$EncryptedFilePath = "$env:temp\EncryptedBase64.secret"
# Get the enrcrypted stream from Amazon
$EncryptedOuput = (Invoke-KMSEncrypt -KeyId $keyID -Plaintext $(ConvertFrom-StringToMemoryStream $input) -region us-east-1)
# Convert it to Base64 so we can write it to a file
$EncryptedBase64 = ConvertFrom-StreamToBase64 -inputStream $EncryptedOuput.CiphertextBlob
Set-Content -Path $EncryptedFilePath -Value $EncryptedBase64 -Force
# Decrypt the secret from the file
$DecryptedOutputStream = Invoke-KMSDecrypt -CiphertextBlob $(ConvertFrom-Base64toMemoryStream -Base64Input $(Get-Content $EncryptedFilePath)) -region us-east-1
# Convert the decrypted stream to a strimg
$DecryptedOutput = ConvertFrom-StreamToString -inputStream $DecryptedOutputStream.Plaintext
Write-Host ("Decrypted Output: $DecryptedOutput")
@rmahroua
Copy link

Thank you so much, I was able to make it work. Why is it so complicated?
Anyway, you made my day!

I would also like to share this link: https://fitch.tech/2019/05/29/aws-lambda-for-powershell-encrypted-environment-variables/
This seems to be a "shorter" way to do it, although, my PS skills are limited, and I was not able to pass the Key ID to that new KMS instance. I know how to pass it to the standard C# constructor, but was not able to with PowerShell.

Cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment