Encryption toolbox to be used with the Amazon Key Management Service for securing your deployment secrets.
It encapsulates the aws-encryption-sdk
package to expose cmdline actions. For both encrypt
and decrypt
actions,
the library requests a new data key from KMS and encrypts it with the Customer Master Key. This encryption happens server-side and is performed by Amazon.
Whatever data you pass to be encrypted or decrypted, all the cryptographic computation happens on the client side, hence
your data is never sent over the wire. The aws-encryption-sdk
guarantees embedding the data key used for sensitive data encryption
in the output stream that's being base64-encoded before returning from the encrypt
command.
decrypt
expects a data key to be embedded in the passed data. The data key is decrypted in KMS first (using the Customer Master Key)
and only then used to decrypt the sensitive data. As in case of encrypt
, decryption also happens on the client side.
Package is available in the PyPI repo.
$ pip install kms-encryption-toolbox
$ kms-encryption encrypt --help
Usage: kms-encryption encrypt [OPTIONS]
Encrypts data with a new data key and returns a base64-encoded result.
Options:
--cmk-arn TEXT ARN of an existing Customer Master Key in KMS
--data TEXT Data to be encrypted. Use to pass it as a named argument.
--env TEXT Name of an environment variable that contains data to be
encrypted.
--profile TEXT Name of an AWS CLI profile to be used when contacting AWS.
--prefix TEXT An output prefix to be added to the generated result.
-h, --help Show this message and exit.
$ kms-encryption decrypt --help
Usage: kms-encryption decrypt [OPTIONS]
Decrypts a base64-encoded data.
Options:
--data TEXT Data to be decrypted. Use to pass it as a named argument.
--env TEXT Name of an environment variable that contains data to be
decrypted.
--profile TEXT Name of an AWS CLI profile to be used when contacting AWS.
--prefix TEXT An input prefix to be trimmed from the beginning before a
value is decrypted.
-h, --help Show this message and exit.
$ kms-encryption decrypt-json --help
Usage: kms-encryption decrypt-json [OPTIONS] [INPUT]
Accepts a JSON map passed via standard input (or a file provided in the INPUT parameter)
and decrypts base64-encoded map values inside of it.
Options:
--profile TEXT Name of an AWS CLI profile to be used when contacting AWS.
--prefix TEXT An input prefix to be trimmed from the beginning before a
value is decrypted.
--allow-partial If partially encrypted string values inside JSON are
allowed. Substrings to decrypt are identified by the
starting prefix and end with a whitespace or end of string.
-h, --help Show this message and exit.
$ kms-encryption encrypt-json --help
Usage: kms-encryption encrypt-json [OPTIONS] [INPUT]
Accepts a JSON map in STDIN (or a file provided in the INPUT parameter)
and encrypts values inside of it then saves base64-encoded.
Options:
--cmk-arn TEXT ARN of an existing Customer Master Key in KMS
--profile TEXT Name of an AWS CLI profile to be used when contacting AWS.
--prefix TEXT An output prefix to be added to the beginning of an
encrypted value.
-h, --help Show this message and exit.
$ export SECRET_VALUE="This is some super secret string"
$ export ENCRYPTED_VALUE=$(kms-encryption encrypt --cmk-arn arn:aws:kms:us-east-1:123456789012:key/1e1a6a81-93e0-4b9a-954b-aa1234567890 --env "SECRET_VALUE" --prefix "decrypt:")
$ echo $ENCRYPTED_VALUE
decrypt:AYADeJECDnf7+NLeAVJsur5YuekAXwABABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREFnTHdvU1h5UVJuU3FkZGNsM0N3RXVXdURma1NYSG1KZThZZE9Wck1PUUgwMWgyRVV3U2xFK0VCamx4azVsd0EzQT09AAEAB2F3cy1rbXMAS2Fybjphd3M6a21zOnVzLWVhc3QtMTo4NzM1NTkyNjkzMzg6a2V5LzFlMWE2YTgxLTkzZTAtNGI5YS05NTRiLWNjMDk4MDJiZjNjZQC4AQICAHgifue3f62DmuhKCz2j5CoqHuVBEjiKI1sGxff/ai505wFaCCPDO4Y8TrR3hoSugCfwAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMfcuTS3R5ZyAF1PTDAgEQgDtb+d24hym8ARlMUAjvypkzjwWCow/vFsOCNNyanBXUpeg1zUS3pm9N2jUdWUkuFthfnIYP/DKha++ntAIAAAAADAAAEACSdsPl9FNdOKFIApY/cT3N2KlcdyRqYpxio+PP/////wAAAAGN+BxTQlHfwz7vgrMAAAAL5Pu3Pkw4G13jdJiZYRHUED00JI226iC/p1xVAGgwZgIxAMk0vt2tIFpTb/YgPsTcvBVF4QYcRu28j8nONHSWLLox2DupiUuUjP5lsFHr15ENRgIxAJxEIV96k5PfFEaCIMvn83NRkXHcT9nphuOQd6FNRy0DeAuWOeApRQuZ4Ti0mVy/aA==
$ DECRYPTED_VALUE=$(kms-encryption decrypt --env "ENCRYPTED_VALUE" --prefix "decrypt:")
$ echo $DECRYPTED_VALUE
This is some super secret string
$ echo "{\"value\": \"$ENCRYPTED_VALUE\"}" | kms-encryption decrypt-json --prefix "decrypt:")
{"value":"This is some super secret string"}
The library also exposes an additional Bash script helpful in automated deployments:
decrypt-and-start
- Decrypts all the environment variables that start withdecrypt:
and saves the decrypted values in the same environment variables. Then it executes the passed parameters. This script can be used as an entrypoint in a Dockerfile.
If you fail to install the package with pip
due to an error in compiling the cryptography
package, you might need to install additional system dependencies. Instructions below:
yum install -y gcc libffi-devel python-devel openssl-devel
apt-get install -y build-essential libssl-dev libffi-dev python-dev
Please make sure you have openssl installed (it should be as a part of system default packages).