No KMS support
Closed this issue · 1 comments
jesdynf commented
It'd be nice if we could pass KMS key IDs through to s3cmd.
--server-side-encryption
Specifies that server-side encryption will be used when putting
objects. [put, sync, cp, modify]
--server-side-encryption-kms-id=KMS_KEY
Specifies the key id used for server-side encryption with AWS
KMS-Managed Keys (SSE-KMS) when putting objects. [put, sync, cp,
modify]
If I get enough of this working to make submitting a PR worthwhile, I'll try to do so. Thanks!
jesdynf commented
Oh, phooey. I dug deep enough into Duplicity to find out the issue -- it doesn't have KMS support. All it can do is default S3 encryption. I wanted hands-off automated passwords without plaintext storage --
which I did get, after a little magic with an intermediate password.
# create passphrase
touch /tmp/mypass
chmod 400 /tmp/mypass
openssl rand -base64 32 >> /tmp/mypass
aws s3 cp /tmp/mypass s3://$S3/Backup/passphrase.txt --sse aws:kms --sse-kms-key-id $KMS
rm /tmp/mypass
# fetch passphrase for use
PASSPHRASE=`aws s3 cp s3://$S3/Backup/passphrase.txt - --sse aws:kms --sse-kms-key-id $KMS`
Sorry to bother you!