AWS KMS support for pgp-maven-plugin
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci
src
.gitignore
LICENSE
NOTICE
README.markdown
pom.xml

README.markdown

AWS KMS support for pgp-maven-plugin

Branch Status
Master Build Status Codecov Maven Central
Develop Build Status Codecov

Overview

This plugin adds support to pgp-maven-plugin for decrypting a pgp passphrase via AWS Key Management Service. It wraps other passphrase loaders with KMS decryption.

Usage

You need to configure your pom.xml to add the pgp-maven-plugin-awskms as a dependency to pgp-maven-plugin.

<plugin>
    <groupId>org.kohsuke</groupId>
    <artifactId>pgp-maven-plugin</artifactId>
    <dependencies>
        <dependency>
            <groupId>com.lasmanis</groupId>
            <artifactId>pgp-maven-plugin-awskms</artifactId>
        </dependency>
    </dependencies>
    <configuration>
        <secretkey>SECRET_KEY_SPECIFIER</secretkey>
        <passphrase>PASSPHRASE_SPECIFIER</passphrase>
    </configuration>
    <executions>
        <execution>
            <goals>
                <goal>sign</goal>
            </goals>
        </execution>
    </executions>
</plugin>

Specifiy the passphrase cipher text as literal text

awskms:literal:ENCRYPTEDPASSPHRASE

This lets you specify the encrypted passphrase inline directly.

Store the passphrase cipher text is a file

awskms:file:PATH/TO/FILE

This lets you specify store the encrypted passphrase in the local filesystem.

Wrapping any PassphraseLoader (including custom loaders)

awskms:SCHEME:PATH/TO/FILE

This lets you call any included PassphraseLoader configured in the pom (built-in and custom).

Generating the Cipher Text

You can use any KMS methods (API, CLI, etc) to generate the cipher text.

Once you have generated a customer master key and add your IAM user as a user of that key, you can generate the cipher text. Using the AWS CLI is the simplist method. The output from the following command is the ENCRYPTEDPASSPHRASE which can be read from a file (via scheme awskms:file:) or used directly (via scheme awskms:literal:):

aws kms encrypt --key-id arn:aws:kms:us-east-1:XXXXXXXXXXXX:key/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX  --plaintext "PASSPHRASE" --output text --query CiphertextBlob

In the command above, replace PASSPHRASE with the passphrase for your key and make sure to replace the key-id arn (starts with arn:aws:kms.....) with your key-id (available via the AWS console or CLI 'aws kms list-keys').

NOTE: Do not use the cipher text generated by the AWS Encryption SDK. The cipher text generated is not directly compatible with the KMS service.

AWS Credentials

Currently, the plugin uses the default credential handler from the aws-java-sdk. Configuration and initialization priorities are described here. The ability to supply credentials via the PASSPHRASE_SPECIFIER is coming in a future release.

If you are running within the AWS infrastructure, it is highly recommended to use roles for managing access keys/secrets. The combination of roles and this plugin eliminates the need to have plaintext signing secrets in a non-interactive build environment (like CodePipeline).

Documentation

License

Copyright 2017 Michael Lasmanis.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

 http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.