A tool designed to do KMS based envelope encryption of files.
- takes a file {filename.kms} that you have encrypted with this program
- base64 decodes the file and extracts the IV and encryption key from the prefix
- decrypts the encryption key with the proper EncryptionContext using KMS
- then takes that key and unencrypts the data
- saves the data in a local file of the name {filename}
- This takes the file {filename},
- generates a KMS encryption key tied to a supplied EncryptionContext value and KMS Customer Master Key
- encrypts the file with the encryption key
- prepends the encrypted key and IV on to the file
- base64 encodes the new file
- saves it as {filename.kms}
mkdir $GOPATH/src/github.com/DonMills
cd $GOPATH/src/github.com/DonMills
git clone https://github.com/DonMills/kmsencrypt.git
or
go get github.com/DonMills/kmsencrypt
This tool requires the "aws-sdk-go" and the "urfave/cli" packages be installed.
go get github.com/aws/aws-sdk-go/
go get github.com/urfave/cli
Alternatively, if you have glide installed, you can just get the deps like this:
glide up
go install
or
go build -o kmsencrypt
./kmsencrypt The tool has a full help system, but in general usage is
kmsencrypt [command] {command specific options}
where commands are
kmsencrypt encrypt [localfilename] [context]
OPTIONS:
-c value The customer master key id - can set with KMSENCRYPT_CMKID environment variable [$KMSENCRYPT_CMKID]
or
kmsencrypt decrypt [localfilename] [context]
In some situations (like needing a STS token to work on an environment) or if you have entries in your ~/.aws/config file that are needed, you may need to set the following environment variable:
AWS_SDK_LOAD_CONFIG=1
This is a function of the aws sdk for go discussed here: http://docs.aws.amazon.com/sdk-for-go/api/aws/session/
New! Now you can install on a mac by using homebrew.
brew install DonMills/tools/kmsencrypt