Last active
January 18, 2022 12:14
-
-
Save amcginlay/5b115fae581977a42b5cf9ad2ded4f36 to your computer and use it in GitHub Desktop.
You can reference this file from https://bit.ly/amcginlay-kms
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # inspired by: https://www.youtube.com/watch?v=f3APF1dP8w0 | |
| ######################################################################## | |
| # create a customer managed key | |
| ######################################################################## | |
| export AWS_DEFAULT_REGION=us-west-2 | |
| # create the key | |
| key_id=$(aws kms create-key --query "KeyMetadata.KeyId" --output text) | |
| ######################################################################## | |
| # show how to encrypt small amounts of data (<4kb) using KMS directly | |
| ######################################################################## | |
| # encode the text, ready to encrypt | |
| text="hello, world!" | |
| encoded_text=$(base64 <<< ${text}) | |
| # encrypt and decrypt the encoded text | |
| encrypted_encoded_text=$(aws kms encrypt --key-id ${key_id} --plaintext ${encoded_text} --query "CiphertextBlob" --output text) | |
| decrypted_encoded_text=$(aws kms decrypt --ciphertext-blob ${encrypted_encoded_text} --query "Plaintext" --output text) | |
| # decode the decrypted text, ready to display | |
| decrypted_decoded_text=$(base64 --decode <<< ${decrypted_encoded_text}) | |
| # display the decoded text | |
| echo ${decrypted_decoded_text} | |
| ######################################################################## | |
| # larger amounts of data are encrypted with a KMS data key using openssl | |
| ######################################################################## | |
| # ask KMS to generate the data key we'll use with openssl | |
| key_metadata=($(aws kms generate-data-key --key-id ${key_id} --key-spec AES_256 --query [CiphertextBlob,Plaintext] --output text)) # [0]=CiphertextBlob [1]=Plaintext | |
| # encrypt the standard dictionary (NOTE -e to encrypt) | |
| openssl enc -in /usr/share/dict/words -out ./words.enc -e -aes256 -k fileb://<(base64 --decode <<< ${key_metadata[1]}) | |
| # discard the plaintext key | |
| echo ${key_metadata[1]} | |
| key_metadata[1]=gone! | |
| # regenerate the plaintext key from the encrypted version | |
| # if KMS doesn't trust the current IAM identity with the blob's associated key it won't complete the request (security!) | |
| key_metadata[1]=$(aws kms decrypt --ciphertext-blob ${key_metadata[0]} --query Plaintext --output text) | |
| echo ${key_metadata[1]} | |
| # decrypt the previously encrypted file (NOTE -d to encrypt) | |
| openssl enc -in ./words.enc -out ./words -d -aes256 -k fileb://<(base64 --decode <<< ${key_metadata[1]}) | |
| # comparing the two files should reveal no differences | |
| diff /usr/share/dict/words ./words | |
| ######################################################################## | |
| # tidy up | |
| ######################################################################## | |
| # delete the data files and discard the customer managed key in KMS | |
| rm ./words.enc ./words | |
| aws kms schedule-key-deletion --key-id ${key_id} --pending-window-in-days 7 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment