Encrypting and Decrypting files with Amazon Key Service and storing secrets with Amazon Secret Manager
Easy to use CLI tool for encrypting and decrypting files using AWS managed keys. It also supports Amazon Secret Manager for retrieval of secrets such as OAuth tokens, database credentials, API keys, ...
It's intention is to enable developers to store and deploy configuration files and access credentials or other secrets stored within ASM (Amazon Secret Manager).
Rotations of the keys is currently not supported.
Click Policies -> Create Policy
For service select KMS and specifiy allowed operations. Name your policy kms-access-policy
Create another policy for Secrets Manager (previously KMS) and specify allowed operations. For this policy read operation is enough. Name your policy kms-secret-policy
Head over to Identity and Access Management.
Click Users -> Add User. Be sure to select programatic access only.
Follow the prompts and attach existing policies directly : kms-access-policy and kms-secret-policy.
Be sure to copy your Access Key Id and Secret access key on the final screen before proceeding with the next steps as you'll need these later.
Name your user: kms-user
Head over to AWS Key Management Service.
Click Custom managed keys -> Create Key
In the section Define key administrative permissions select user kms-user.
Name the key configkey.
Check the created arn. You'll need it for running ckms.
Head over to Secrets Manager.
Click Secrets -> Store new secret
Select other type of secrets and add a few secret key/values. From the dropdown select KMS key configkey.
Name the secret mysecrets
aws configure
Use your users Access Key ID and Secret for credentials.
Using CKMS is easy. First use go get to install the latest version of the library. This command will install the CKMS executable along with the library and its dependencies:
go get -u github.com/igorrendulic/go-aws-kms
Next, include CKSM in your application:
import "github.com/igorrendulic/go-aws-kms"- encrypt
- decrypt
- secret
Encrypting, decrypting configuration files with AWS KMS service
Usage:
ckms [flags]
ckms [command]
Available Commands:
decrypt Decrypting files with AWS KMS service
encrypt Encrypting files with AWS KMS service
help Help about any command
secret Retrieve secret from AWS Secret Manager
Flags:
-h, --help help for ckms
-k, --key-id string aws kms key ID
Use "ckms [command] --help" for more information about a command.
-k arn of your KMS key
-i input file (when encrypting location of plaintext file, when decrypting location of ciphertext file)
-o output file (when encrypting cihpertext file locaton,when decrypting location of plaintext file)
Replace placeholder ARN key with yours.
ckms encrypt -i inputfile -o outputfile -k arn:aws:kms:eu-west-2:111111111:key/1111111-11111-11aa-aa11-111111
Replace placeholder ARN key with yours.
ckms decrypt -i encrypted.yaml -o plaintest.yaml -k arn:aws:kms:eu-west-2:111111111:key/1111111-11111-11aa-aa11-111111
Replace placeholder ARN key with yours.
ckms secret -s mysecrets -k arn:aws:kms:eu-west-2:111111111:key/1111111-11111-11aa-aa11-111111
Do not store AWS API keys onto production environment. The correct way to do this is to deploy you VM instances with roles.
Recommended resources:
Attach an AWS IAM Role to an existing EC2 Instance by using AWS CLI
AWS IAM Integration for Kubernetes
Initiate CKMS library:
kmsKey := "arn:..."
ced := NewCKMS(kmsKey)Encrypt a file:
encrypted, err := ced.Ecrypt("path/to/file")Decrypt a file:
decryptedBytes, err := ced.Decrypt("/path/to/encrypted/file")Retrieve secret:
secrets, err := ced.GetSecret("mysecrets")The returned result of secrets is a map:
map[string]stringAWS KMS can encrypt only files up to 4KB (4096 bytes). These operations are designed to encrypt and decrypt data keys. Although you might use them to encrypt small amounts of data, such as a password or RSA key, they are not designed to encrypt application data.