GithubHelp home page GithubHelp logo

applauseoss / kms-encryption-toolbox Goto Github PK

View Code? Open in Web Editor NEW
8.0 18.0 6.0 49 KB

Encryption toolbox being a wrapper for aws-encryption-sdk to be used for securing your deployment secrets.

License: MIT License

Python 100.00%
encryption kms aws aes

kms-encryption-toolbox's Introduction

kms-encryption-toolbox

FOSSA Status

Encryption toolbox to be used with the Amazon Key Management Service for securing your deployment secrets. It encapsulates the aws-encryption-sdk package to expose cmdline actions. For both encrypt and decrypt actions, the library requests a new data key from KMS and encrypts it with the Customer Master Key. This encryption happens server-side and is performed by Amazon.

Whatever data you pass to be encrypted or decrypted, all the cryptographic computation happens on the client side, hence your data is never sent over the wire. The aws-encryption-sdk guarantees embedding the data key used for sensitive data encryption in the output stream that's being base64-encoded before returning from the encrypt command.

decrypt expects a data key to be embedded in the passed data. The data key is decrypted in KMS first (using the Customer Master Key) and only then used to decrypt the sensitive data. As in case of encrypt, decryption also happens on the client side.

pip

Package is available in the PyPI repo.

$ pip install kms-encryption-toolbox

Usage

Encrypt

$ kms-encryption encrypt --help

Usage: kms-encryption encrypt [OPTIONS]
Encrypts data with a new data key and returns a base64-encoded result.

Options:
--cmk-arn TEXT  ARN of an existing Customer Master Key in KMS
--data TEXT     Data to be encrypted. Use to pass it as a named argument.
--env TEXT      Name of an environment variable that contains data to be
                encrypted.
--profile TEXT  Name of an AWS CLI profile to be used when contacting AWS.
--prefix TEXT   An output prefix to be added to the generated result.
-h, --help      Show this message and exit.

Decrypt

$ kms-encryption decrypt --help 

Usage: kms-encryption decrypt [OPTIONS]
Decrypts a base64-encoded data.

Options:
--data TEXT     Data to be decrypted. Use to pass it as a named argument.
--env TEXT      Name of an environment variable that contains data to be
                decrypted.
--profile TEXT  Name of an AWS CLI profile to be used when contacting AWS.
--prefix TEXT   An input prefix to be trimmed from the beginning before a
                value is decrypted.
-h, --help      Show this message and exit.

Decrypt a JSON map

$ kms-encryption decrypt-json --help

Usage: kms-encryption decrypt-json [OPTIONS] [INPUT]

Accepts a JSON map passed via standard input (or a file provided in the INPUT parameter)
and decrypts base64-encoded map values inside of it.

Options:
--profile TEXT  Name of an AWS CLI profile to be used when contacting AWS.
--prefix TEXT   An input prefix to be trimmed from the beginning before a
                value is decrypted.
--allow-partial If partially encrypted string values inside JSON are
                allowed. Substrings to decrypt are identified by the
                starting prefix and end with a whitespace or end of string.                
-h, --help      Show this message and exit.

Encrypt a JSON map

$ kms-encryption encrypt-json --help

Usage: kms-encryption encrypt-json [OPTIONS] [INPUT]

Accepts a JSON map in STDIN (or a file provided in the INPUT parameter)
and encrypts values inside of it then saves base64-encoded.

Options:
--cmk-arn TEXT  ARN of an existing Customer Master Key in KMS
--profile TEXT  Name of an AWS CLI profile to be used when contacting AWS.
--prefix TEXT   An output prefix to be added to the beginning of an
              encrypted value.
-h, --help      Show this message and exit.

Use examples

$ export SECRET_VALUE="This is some super secret string"  
$ export ENCRYPTED_VALUE=$(kms-encryption encrypt --cmk-arn arn:aws:kms:us-east-1:123456789012:key/1e1a6a81-93e0-4b9a-954b-aa1234567890 --env "SECRET_VALUE" --prefix "decrypt:")

$ echo $ENCRYPTED_VALUE
decrypt:AYADeJECDnf7+NLeAVJsur5YuekAXwABABVhd3MtY3J5cHRvLXB1YmxpYy1rZXkAREFnTHdvU1h5UVJuU3FkZGNsM0N3RXVXdURma1NYSG1KZThZZE9Wck1PUUgwMWgyRVV3U2xFK0VCamx4azVsd0EzQT09AAEAB2F3cy1rbXMAS2Fybjphd3M6a21zOnVzLWVhc3QtMTo4NzM1NTkyNjkzMzg6a2V5LzFlMWE2YTgxLTkzZTAtNGI5YS05NTRiLWNjMDk4MDJiZjNjZQC4AQICAHgifue3f62DmuhKCz2j5CoqHuVBEjiKI1sGxff/ai505wFaCCPDO4Y8TrR3hoSugCfwAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMfcuTS3R5ZyAF1PTDAgEQgDtb+d24hym8ARlMUAjvypkzjwWCow/vFsOCNNyanBXUpeg1zUS3pm9N2jUdWUkuFthfnIYP/DKha++ntAIAAAAADAAAEACSdsPl9FNdOKFIApY/cT3N2KlcdyRqYpxio+PP/////wAAAAGN+BxTQlHfwz7vgrMAAAAL5Pu3Pkw4G13jdJiZYRHUED00JI226iC/p1xVAGgwZgIxAMk0vt2tIFpTb/YgPsTcvBVF4QYcRu28j8nONHSWLLox2DupiUuUjP5lsFHr15ENRgIxAJxEIV96k5PfFEaCIMvn83NRkXHcT9nphuOQd6FNRy0DeAuWOeApRQuZ4Ti0mVy/aA==

$ DECRYPTED_VALUE=$(kms-encryption decrypt --env "ENCRYPTED_VALUE" --prefix "decrypt:")
$ echo $DECRYPTED_VALUE
This is some super secret string

$ echo "{\"value\": \"$ENCRYPTED_VALUE\"}" | kms-encryption decrypt-json --prefix "decrypt:")
{"value":"This is some super secret string"}

Additional scripts

The library also exposes an additional Bash script helpful in automated deployments:

  • decrypt-and-start - Decrypts all the environment variables that start with decrypt: and saves the decrypted values in the same environment variables. Then it executes the passed parameters. This script can be used as an entrypoint in a Dockerfile.

Troubleshooting

If you fail to install the package with pip due to an error in compiling the cryptography package, you might need to install additional system dependencies. Instructions below:

CentOS

yum install -y gcc libffi-devel python-devel openssl-devel

Debian/Ubuntu

apt-get install -y build-essential libssl-dev libffi-dev python-dev

MacOS

Please make sure you have openssl installed (it should be as a part of system default packages).

License

FOSSA Status

kms-encryption-toolbox's People

Contributors

agaffney avatar dependabot[bot] avatar fossabot avatar jasisz avatar jwitko avatar kbanka avatar pblaze avatar rogoman avatar wolf31o2 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

pblaze jrosenberg-applause fossabot smferguson jwitko bellyfat

kms-encryption-toolbox's Issues

attr version range

After pulling kms-encryption-toolbox into my project, I see:

Traceback (most recent call last):
  File "/Users/billcrook/dev/insights-api/venv/bin/py.test", line 7, in <module>
    from pytest import main
  File "/Users/billcrook/dev/insights-api/venv/lib/python3.6/site-packages/pytest.py", line 13, in <module>
    from _pytest.fixtures import fixture, yield_fixture
  File "/Users/billcrook/dev/insights-api/venv/lib/python3.6/site-packages/_pytest/fixtures.py", line 842, in <module>
    class FixtureFunctionMarker(object):
  File "/Users/billcrook/dev/insights-api/venv/lib/python3.6/site-packages/_pytest/fixtures.py", line 844, in FixtureFunctionMarker
    params = attr.ib(convert=attr.converters.optional(tuple))
AttributeError: module 'attr' has no attribute 'converters'
make: *** [test] Error 1

It appears toolbox has a max version of 17 for attr which causes a dependency conflict and override of a transitive dependency. When explicitly setting attr to 17.4.0, everything works fine. You might consider relaxing the dependency range. Cheers!

Partially Unitialized error when using module

OS: Ubuntu 18.04.5 LTS

Error: failed to execute "/bin/sh": Traceback (most recent call last):
  File "/opt/hostedtoolcache/Python/3.9.1/x64/bin/kms-encryption", line 33, in <module>
    sys.exit(load_entry_point('kms-encryption-toolbox==0.1.7', 'console_scripts', 'kms-encryption')())
  File "/opt/hostedtoolcache/Python/3.9.1/x64/bin/kms-encryption", line 25, in importlib_load_entry_point
    return next(matches).load()
  File "/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/importlib/metadata.py", line 77, in load
    module = import_module(match.group('module'))
  File "/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 972, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 790, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/site-packages/kmsencryption/__init__.py", line 1, in <module>
    from kmsencryption.lib import encrypt
  File "/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/site-packages/kmsencryption/lib.py", line 5, in <module>
    import aws_encryption_sdk
  File "/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/site-packages/aws_encryption_sdk/__init__.py", line 19, in <module>
    from aws_encryption_sdk.caches.local import LocalCryptoMaterialsCache  # noqa
  File "/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/site-packages/aws_encryption_sdk/caches/__init__.py", line 25, in <module>
    from ..internal.formatting.encryption_context import serialize_encryption_context
  File "/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/site-packages/aws_encryption_sdk/internal/formatting/__init__.py", line 14, in <module>
    from .serialize import serialize_header
  File "/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/site-packages/aws_encryption_sdk/internal/formatting/serialize.py", line 17, in <module>
    import aws_encryption_sdk.internal.defaults
  File "/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/site-packages/aws_encryption_sdk/internal/defaults.py", line 16, in <module>
    import aws_encryption_sdk.identifiers
  File "/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/site-packages/aws_encryption_sdk/identifiers.py", line 18, in <module>
    from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa
  File "/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/site-packages/cryptography/hazmat/primitives/asymmetric/padding.py", line 10, in <module>
    from cryptography.hazmat.primitives.asymmetric import rsa
  File "/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/site-packages/cryptography/hazmat/primitives/asymmetric/rsa.py", line 20, in <module>
    from cryptography.hazmat.primitives.asymmetric.padding import AsymmetricPadding
ImportError: cannot import name 'AsymmetricPadding' from partially initialized module 'cryptography.hazmat.primitives.asymmetric.padding' (most likely due to a circular import) (/opt/hostedtoolcache/Python/3.9.1/x64/lib/python3.9/site-packages/cryptography/hazmat/primitives/asymmetric/padding.py)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.