def encryptionSDKDemo(): import aws_encryption_sdk # # AWS Encryption SDK works with arbitrary length text # plaintext = 'This is a very long text document' # # The MKP object contains reference to master keys # mkp = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[MASTER_KEY_ARN]) encryption_context = {'data_type': 'example', 'classification': 'public'} # # Let's encrypt the plaintext data # ciphertext, encryptor_header = aws_encryption_sdk.encrypt( source=plaintext, key_provider=mkp, encryption_context=encryption_context) # # Let's decrypt the ciphertext data # decrypted_plaintext, decryptor_header = aws_encryption_sdk.decrypt( source=ciphertext, key_provider=mkp) print(decrypted_plaintext.decode('utf-8'))
def encrypt_file(self, source_file_name, target_file_name): """ Encrypt a file using aws_encryption SDK and a KMS key :param source_file_name: File name (path) to encrypt :type source_file_name: str :param target_file_name: File name (path) to be used as target encrypted file. Use to be a NamedTemporaryFile :type target_file_name: str """ logging.info('Open a AWS session for KMS actions using ') kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider( config=self.get_conn(), key_ids=[self.aws_kms_key_arn]) with open(source_file_name, 'rb') as pt_file, open(target_file_name, 'wb') as ct_file: with aws_encryption_sdk.stream(mode='e', source=pt_file, key_provider=kms_key_provider, frame_length=1024) as encryptor: for chunk in encryptor: ct_file.write(chunk) logging.info('Comparing source and target files:') logging.info('Source file size: {}kb'.format( os.stat(source_file_name).st_size >> 10)) logging.info('Source file type: [{}]'.format( magic.from_file(source_file_name))) logging.info('Taget file size: {}kb'.format( os.stat(target_file_name).st_size >> 10)) logging.info('Target file type: [{}]'.format( magic.from_file(target_file_name))) return target_file_name
def EncryptionSdkDemo(): session = botocore.session.Session(profile=PROFILE_NAME) kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider( botocore_session=session, key_ids=[MASTER_KEY_ARN], region_names=[REGION]) plainText = b"This is my secret data" encryptionContext = {'type': 'password', 'env': 'dev'} # SDK kullanarak bizim icin olusturulan datakey ile ciphertextimizi elde ediyoruz. cipherText, encryption_header = aws_encryption_sdk.encrypt( source=plainText, encryption_context=encryptionContext, key_provider=kms_key_provider) # print("Encrypted data= ", base64.b64encode(cipherText)) print("Encrypt edildi") decryptedText, decryption_header = aws_encryption_sdk.decrypt( source=cipherText, key_provider=kms_key_provider) # Encryption contextimiz decryption_header icerisinde. print(decryption_header.encryption_context) print('Decrypted Text= ', decryptedText) assert plainText == decryptedText
def initialize() -> DocumentBucketOperations: """ Configure a Document Bucket API automatically with resources bootstrapped by CloudFormation. """ # Load the pointers to CloudFormation resources that you just deployed state = toml.load(os.path.expanduser( config["base"]["state_file"]))["state"] # Now you have the identifiers of the CloudFormation resources loaded, # Set up your S3 Bucket for the Document Bucket bucket = boto3.resource("s3").Bucket(state["DocumentBucket"]) # Set up your DynamoDB Table for the Document Bucket table = boto3.resource("dynamodb").Table(state["DocumentTable"]) # ADD-ESDK-COMPLETE: Configure the Faythe CMK in the Encryption SDK # Pull configuration of KMS resources faythe_cmk = state["FaytheCMK"] # And the Master Key Provider configuring how to use KMS cmk = [faythe_cmk] mkp = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=cmk) # Set up the API to interact with the Document Bucket using all these resources # ADD-ESDK-COMPLETE operations = DocumentBucketOperations(bucket, table, mkp) return operations
def cycle_string(key_arn, source_plaintext, botocore_session=None): """Encrypts and then decrypts a string under a KMS customer master key (CMK) :param str key_arn: Amazon Resource Name (Arn) of the KMS CMK :param bytes source_plaintext: Data to encrypt :param botocore_session: existing botocore session instance :type botocore_session: botocore.session.Session """ # Create the KMS Master Key Provider kms_kwargs = dict(key_ids=[key_arn]) if botocore_session is not None: kms_kwargs['botocore_session'] = botocore_session master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs) # Encrypt the source plaintext ciphertext, encryptor_header = aws_encryption_sdk.encrypt( source=source_plaintext, key_provider=master_key_provider) print('Ciphertext: ', ciphertext) # Decrypt the ciphertext cycled_plaintext, decrypted_header = aws_encryption_sdk.decrypt( source=ciphertext, key_provider=master_key_provider) # Validate that the cycled plaintext is identical to the source plaintext assert cycled_plaintext == source_plaintext # Validate that the encryption context used by the decryptor has all the key-pairs from the encryptor assert all(pair in decrypted_header.encryption_context.items() for pair in encryptor_header.encryption_context.items()) print('Decrypted: ', cycled_plaintext)
def encrypt_decrypt(key_arn, source_plaintext, botocore_session=None): """Encrypts and then decrypts a string under one KMS customer master key (CMK). :param str key_arn: Amazon Resource Name (ARN) of the KMS CMK :param bytes source_plaintext: Data to encrypt :param botocore_session: existing botocore session instance :type botocore_session: botocore.session.Session """ kwargs = dict(key_ids=[key_arn]) if botocore_session is not None: kwargs["botocore_session"] = botocore_session # Create master key provider using the ARN of the key and the session (botocore_session) kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs) # Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header ciphertext, encrypted_message_header = aws_encryption_sdk.encrypt( source=source_plaintext, key_provider=kms_key_provider) # Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header plaintext, decrypted_message_header = aws_encryption_sdk.decrypt( source=ciphertext, key_provider=kms_key_provider) # Check if the original message and the decrypted message are the same assert source_plaintext == plaintext # Check if the headers of the encrypted message and decrypted message match assert all(pair in encrypted_message_header.encryption_context.items() for pair in decrypted_message_header.encryption_context.items())
def cycle_string(key_arn, source_plaintext, botocore_session=None): """Encrypts and then decrypts a string under a KMS customer master key (CMK). :param str key_arn: Amazon Resource Name (ARN) of the KMS CMK :param bytes source_plaintext: Data to encrypt :param botocore_session: existing botocore session instance :type botocore_session: botocore.session.Session """ # Create a KMS master key provider kms_kwargs = dict(key_ids=[key_arn]) if botocore_session is not None: kms_kwargs['botocore_session'] = botocore_session master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs) # Encrypt the plaintext source data ciphertext, encryptor_header = aws_encryption_sdk.encrypt( source=source_plaintext, key_provider=master_key_provider) # Decrypt the ciphertext cycled_plaintext, decrypted_header = aws_encryption_sdk.decrypt( source=ciphertext, key_provider=master_key_provider) # Verify that the "cycled" (encrypted, then decrypted) plaintext is identical to the source plaintext assert cycled_plaintext == source_plaintext # Verify that the encryption context used in the decrypt operation includes all key pairs from # the encrypt operation. (The SDK can add pairs, so don't require an exact match.) # # In production, always use a meaningful encryption context. In this sample, we omit the # encryption context (no key pairs). assert all(pair in decrypted_header.encryption_context.items() for pair in encryptor_header.encryption_context.items())
def init_kms(): # kms_key_provider is essentially a session and a key arn kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[ CMK_ARN ]) return kms_key_provider
def construct_multiregion_kms_master_key_provider(self, key_id_east, key_id_west): kms_master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider() kms_master_key_provider.add_master_key(key_id_west) kms_master_key_provider.add_master_key(key_id_east) return kms_master_key_provider
def get_key_provider(cmk_arn, profile): if cmk_arn: kms_kwargs = dict(key_ids=[cmk_arn]) else: kms_kwargs = dict() if profile is not None: kms_kwargs['botocore_session'] = botocore.session.Session( profile=profile) return aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs)
def get_master_key_provider(cls, key_id=None): if not cls._MASTER_KEY_PROVIDER: import aws_encryption_sdk cls._MASTER_KEY_PROVIDER = aws_encryption_sdk.KMSMasterKeyProvider( ) if key_id and key_id not in cls._MASTER_KEYS: cls._MASTER_KEY_PROVIDER.add_master_key(key_id) cls._MASTER_KEYS.add(key_id) return cls._MASTER_KEY_PROVIDER
def set_key_provider(self): 'called by en(de)crypt_it(), get the master key provider' if (len(self.enc_regions)) <= 0 or (len(self.master_keys) <= 0): raise Exception('Region or Master Keys not set') try: self.key_provider = aes.KMSMasterKeyProvider( botocore_session=self.kms, key_ids=self.master_keys, region_names=self.enc_regions) except Exception as e: raise Exception('Could not set key_provider', e)
def decrypt(ciphertext, botocore_session=None): ciphertext = base64.b64decode(ciphertext.encode('utf-8')) # Create a KMS master key provider. kms_kwargs = dict(key_ids=[key_arn]) if botocore_session is not None: kms_kwargs['botocore_session'] = botocore_session master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs) # Decrypt the ciphertext. plaintext, decrypted_header = aws_encryption_sdk.decrypt( source=ciphertext, key_provider=master_key_provider) plaintext = plaintext.decode("utf-8") return plaintext
def encrypt(plaintext, botocore_session=None): plaintext = str(plaintext).encode('utf-8') # Create a KMS master key provider. kms_kwargs = dict(key_ids=[key_arn]) if botocore_session is not None: kms_kwargs['botocore_session'] = botocore_session master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs) # Encrypt the plaintext source data. ciphertext, encryptor_header = aws_encryption_sdk.encrypt( source=plaintext, key_provider=master_key_provider) ciphertext = base64.b64encode(ciphertext).decode('utf-8') return ciphertext
def encrypt_decrypt_stream(key_arn, source_plaintext_filename, botocore_session=None): """Encrypts and then decrypts streaming data under one KMS customer master key (CMK). :param str key_arn: Amazon Resource Name (ARN) of the KMS CMK :param str source_plaintext_filename: Filename of file to encrypt :param botocore_session: existing botocore session instance :type botocore_session: botocore.session.Session """ kwargs = dict() kwargs["key_ids"] = [key_arn] if botocore_session is not None: kwargs["botocore_session"] = botocore_session # Create master key provider using the ARN of the key and the session (botocore_session) kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs) ciphertext_filename = source_plaintext_filename + ".encrypted" decrypted_text_filename = source_plaintext_filename + ".decrypted" # Encrypt the plaintext using the AWS Encryption SDK. with open(source_plaintext_filename, "rb") as plaintext, open(ciphertext_filename, "wb") as ciphertext: with aws_encryption_sdk.stream( source=plaintext, mode="e", key_provider=kms_key_provider) as encryptor: for chunk in encryptor: ciphertext.write(chunk) # Decrypt the encrypted message using the AWS Encryption SDK. with open(ciphertext_filename, "rb") as ciphertext, open(decrypted_text_filename, "wb") as plaintext: with aws_encryption_sdk.stream( source=ciphertext, mode="d", key_provider=kms_key_provider) as decryptor: for chunk in decryptor: plaintext.write(chunk) # Check if the original message and the decrypted message are the same assert filecmp.cmp(source_plaintext_filename, decrypted_text_filename) # Check if the headers of the encrypted message and decrypted message match assert all(pair in encryptor.header.encryption_context.items() for pair in decryptor.header.encryption_context.items()) return ciphertext_filename, decrypted_text_filename
def build_kms_master_key_provider(self, alias): if not self.alias_exists(alias): raise SystemExit('FATAL: alias %s does not exist in %s' % ( alias, self.session.region_name, )) arn_template = 'arn:aws:kms:{region}:{account_id}:{alias}' kms_master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider() account_id = self.session.client( 'sts').get_caller_identity()['Account'] kms_master_key_provider.add_master_key( arn_template.format(region=self.session.region_name, account_id=account_id, alias=alias)) return kms_master_key_provider
def encrypt_with_caching(kms_cmk_arn, max_age_in_cache, cache_capacity): """Encrypts a string using an AWS KMS customer master key (CMK) and data key caching. :param str kms_cmk_arn: Amazon Resource Name (ARN) of the KMS customer master key :param float max_age_in_cache: Maximum time in seconds that a cached entry can be used :param int cache_capacity: Maximum number of entries to retain in cache at once """ # Data to be encrypted my_data = "My plaintext data" # Security thresholds # Max messages (or max bytes per) data key are optional MAX_ENTRY_MESSAGES = 100 # Create an encryption context encryption_context = {"purpose": "test"} # Create a master key provider for the KMS customer master key (CMK) key_provider = aws_encryption_sdk.KMSMasterKeyProvider( key_ids=[kms_cmk_arn]) # Create a local cache cache = aws_encryption_sdk.LocalCryptoMaterialsCache(cache_capacity) # Create a caching CMM caching_cmm = aws_encryption_sdk.CachingCryptoMaterialsManager( master_key_provider=key_provider, cache=cache, max_age=max_age_in_cache, max_messages_encrypted=MAX_ENTRY_MESSAGES, ) # When the call to encrypt data specifies a caching CMM, # the encryption operation uses the data key cache specified # in the caching CMM encrypted_message, _header = aws_encryption_sdk.encrypt( source=my_data, materials_manager=caching_cmm, encryption_context=encryption_context) return encrypted_message
def initialize() -> DocumentBucketOperations: # Load the pointers to CloudFormation resources that you just deployed state = toml.load(os.path.expanduser( config["base"]["state_file"]))["state"] # Now you have the identifiers of the CloudFormation resources loaded, # Set up your S3 Bucket for the Document Bucket bucket = boto3.resource("s3").Bucket(state["DocumentBucket"]) # Set up your DynamoDB Table for the Document Bucket table = boto3.resource("dynamodb").Table(state["DocumentTable"]) # Pull configuration of KMS resources faythe_cmk = state["FaytheCMK"] walter_cmk = state["WalterCMK"] # And the Master Key Provider configuring how to use KMS cmk = [faythe_cmk, walter_cmk] mkp = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[cmk]) # Set up the API to interact with the Document Bucket using all these resources operations = DocumentBucketOperations(bucket, table, mkp) return operations
def test_encrypted_payload_coding(): key_id = os.environ['KEY_ID'] session = boto3.Session() mkp = aws_encryption_sdk.KMSMasterKeyProvider( key_ids=[key_id], botocore_session=session._session) payload = { 'iss': 'issuer', 'iat': 0, 'tid': 'asdf', 'exp': 0, 'token': 'jkljkl', 'action': { 'name': 'foo', 'type': 'success', 'output': {} }, 'param': False, } validate_payload_schema(payload) encoded_payload = encode_payload(payload, mkp) assert encoded_payload.startswith('2-') decoded_payload = decode_payload(encoded_payload, mkp) validate_payload_schema(decoded_payload) assert_dicts_equal(payload, decoded_payload) encoded_payload = encode_payload(payload, None) assert encoded_payload.startswith('1-') with pytest.raises(EncryptionRequired): decoded_payload = decode_payload(encoded_payload, mkp) encoded_payload = encode_payload(payload, mkp) assert encoded_payload.startswith('2-') with pytest.raises(DecryptionUnsupported): decoded_payload = decode_payload(encoded_payload, None)
def _initialize_from_config(self, beaver_config, filename): super(KmsEncrypter, self)._initialize_from_config(beaver_config, filename) if not aws_encryption_sdk: raise SystemError( 'The use_aws_kms_encryption option is only supported for python >= 2.7' ) kms_configs = _get_kms_config_values(beaver_config, filename) kms_secret_key = kms_configs.aws_kms_secret_key kms_access_key = kms_configs.aws_kms_access_key kms_key_ids = kms_configs.aws_kms_key_ids self.kms_encryption_context = kms_configs.aws_kms_encryption_context if not kms_key_ids: raise ValueError( 'You must provide at lease one CMS key for aws_kms_key_ids!') if self.kms_encryption_context and not isinstance( self.kms_encryption_context, dict): raise ValueError( 'kms_encryption_context must be a flat map of key value pairs, or not provided.' ) session = botocore.session.Session() if kms_access_key and kms_secret_key: session.set_credentials(kms_access_key, kms_secret_key) else: self.logger.info( 'Using default boto credentials locations for KMS access.') self.kms_client = aws_encryption_sdk.KMSMasterKeyProvider( botocore_session=session, key_ids=kms_key_ids)
def EncryptionSdkCacheDemo(): session = botocore.session.Session(profile=PROFILE_NAME) kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider( botocore_session=session, key_ids=[MASTER_KEY_ARN], region_names=[REGION]) plainText = b"This is my secret data12" encryptionContext = {'type': 'password', 'env': 'dev'} # Create a local cache cache = aws_encryption_sdk.LocalCryptoMaterialsCache(10) # Create a caching CMM caching_cmm = aws_encryption_sdk.CachingCryptoMaterialsManager( master_key_provider=kms_key_provider, cache=cache, max_age=600.0, max_messages_encrypted=10, ) # SDK kullanarak bizim icin olusturulan datakey ile ciphertextimizi elde ediyoruz. cipherText, encryption_header = aws_encryption_sdk.encrypt( source=plainText, encryption_context=encryptionContext, materials_manager=caching_cmm) # print("Encrypted data= ", base64.b64encode(cipherText)) decryptedText, decryption_header = aws_encryption_sdk.decrypt( source=cipherText, materials_manager=caching_cmm) # Encryption contextimiz decryption_header icerisinde. # print(decryption_header.encryption_context) print('Decrypted Text= ', decryptedText) assert plainText == decryptedText
from os import getenv, remove, mkdir from os.path import splitext, exists from pathlib import Path from shutil import rmtree import aws_encryption_sdk from dotenv import load_dotenv from flask import Flask, render_template, request, send_file load_dotenv(override=True) application = Flask(__name__) # identify KMS CMK kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[ getenv('KEY_ID_1') ]) # method for encrypting uploaded file def encrypt_file(file): ct_filename = str(file) + '.ct' with open(file, 'rb') as pt_file, open(ct_filename, 'wb') as ct_file: with aws_encryption_sdk.stream( mode='e', source=pt_file, key_provider=kms_key_provider ) as encryptor: for chunk in encryptor: ct_file.write(chunk) return ct_filename
def main(): """ ############################################################# # Client side encryption with data key caching # ############################################################# """ try: az = subprocess.check_output(['curl', '-s', 'http://169.254.169.254/latest/meta-data/placement/availability-zone']) list_az = az.split('-') region = list_az[0]+ '-' + list_az[1] + '-' + list_az[2][0] s3_client = boto3.client('s3',region) kms_client = boto3.client('kms',region) ####################################################################### # # # The kmsmasterkeyprovider class is used to store the reference to # # the customer master key # # # # The key alias kms_key_cse_usecase_3 that we created in the # # kms_key_creation.py is being used here # # # ####################################################################### botocore_session = botocore.session.Session() botocore_session.set_config_variable('region', region) kms_kwargs = dict(key_ids=['alias/kms_key_cse_usecase_3']) if botocore_session is not None: kms_kwargs["botocore_session"] = botocore_session kms_master__key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs) ############################################################# # Setup configuration parameters for the data key cache # ############################################################# CACHE_CAPACITY = 100 MAX_ENTRY_AGE_SECONDS = 300.0 MAX_ENTRY_MESSAGES_ENCRYPTED = 2 ########################################################################## # # A local in memory cache is created with the configured cache # # parameters # ########################################################################## cache = LocalCryptoMaterialsCache(capacity=CACHE_CAPACITY) crypto_materials_manager = CachingCryptoMaterialsManager( master_key_provider=kms_master__key_provider, cache=cache, max_age=MAX_ENTRY_AGE_SECONDS, max_messages_encrypted=MAX_ENTRY_MESSAGES_ENCRYPTED ) ################################################################ # # # Reference to plain text file, client side encrypted file, # # plaintext cycled file # # # # plain text cycled means that file was encrypted and then # # decrypted into plaintext # # # ################################################################ current_directory_path = os.path.dirname(os.path.realpath(__file__)) + '/' plaintext_filename_path = current_directory_path + 'plaintext_u.txt' encrypted_filename_1 = 'encrypted_e_1.txt' encrypted_filename_path_1 = current_directory_path + encrypted_filename_1 encrypted_filename_2 = 'encrypted_e_2.txt' encrypted_filename_path_2 = current_directory_path + encrypted_filename_2 plaintext_cycled_filename_path_1 = current_directory_path + 'plaintext_u_cycled_1.txt' plaintext_cycled_filename_path_2 = current_directory_path + 'plaintext_u_cycled_2.txt' encryption_context = {'whatfor':'usecase-3-cse'} ######################################################################################### # encrypt client side using a kms key and cipher text is put into encrypted_e_1.txt # ######################################################################################### with open(plaintext_filename_path, 'rb') as plaintext, open(encrypted_filename_path_1, 'wb') as ciphertext: with aws_encryption_sdk.stream( mode='e', source=plaintext, materials_manager=crypto_materials_manager, encryption_context=encryption_context ) as encryptor: for chunk in encryptor: ciphertext.write(chunk) ########################################################################################## # encrypt client side using a kms key and cipher text is put into encrypted_e_2.txt # ########################################################################################## with open(plaintext_filename_path, 'rb') as plaintext, open(encrypted_filename_path_2, 'wb') as ciphertext: with aws_encryption_sdk.stream( mode='e', source=plaintext, materials_manager=crypto_materials_manager, encryption_context=encryption_context ) as encryptor: for chunk in encryptor: ciphertext.write(chunk) ############################################################################################ # Decrypt the client side encrypted file encrypted_e_1.txt # # The decrypted file is called plaintext_u_cycled_1.txt # # # # Decrypt the client side encrypted file encrypted_e_2.txt # # The decrypted file is called plaintext_u_cycled_2.txt # # # # Check whether the plaintext_u.txt,plaintext_u_cycled_1.txt,plaintext_u_cycled_2.txt # # have the same content # ############################################################################################ with open(encrypted_filename_path_1, 'rb') as ciphertext, open(plaintext_cycled_filename_path_1, 'wb') as plaintext: with aws_encryption_sdk.stream( mode='d', source=ciphertext, materials_manager=crypto_materials_manager ) as decryptor: for chunk in decryptor: plaintext.write(chunk) with open(encrypted_filename_path_2, 'rb') as ciphertext, open(plaintext_cycled_filename_path_2, 'wb') as plaintext: with aws_encryption_sdk.stream( mode='d', source=ciphertext, materials_manager=crypto_materials_manager ) as decryptor: for chunk in decryptor: plaintext.write(chunk) print "\nModule run was successful !!" print "\nPlain text file plaintext_u.txt was encrypted twice !!" print "\n Step 2 completed successfully" except: print "Unexpected error:", sys.exc_info()[0] raise else: exit(0)
from __future__ import print_function import time import os import sys import aws_encryption_sdk import boto3 s3 = boto3.client('s3') s3_bucket_name = os.environ['s3_BUCKET_NAME '] kms_key = os.environ['KMS CUSTOMER KEY'] kms_kwargs = dict(key_ids=[kms_key]) master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs) def encrypt(plaintext, botocore_session=None): #encrypt file ciphertext, encryption_header = aws_encryption_sdk.encrypt( plain=plaintext, key_provider=master_key_provider) print('storing encrypt data in s3 bucket') response = s3.put_object(body=ciphertext, Bucket=s3_bucket_name, key="encrypted_file.txt") encrypt()
def _initialize_engine(self, parent_class_key): self.secret_key = parent_class_key self.kms_kwargs = dict(key_ids=[self.secret_key]) self.master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider( **self.kms_kwargs)
def _get_kms_provider(): return aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[CMK_KEY_ARN])
import aws_encryption_sdk kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[ 'arn:aws:kms:us-east-1:873559269338:key/1e1a6a81-93e0-4b9a-954b-cc09802bf3ce' ]) my_plaintext = 'This is some super secret data! Yup, sure is!' my_ciphertext, encryptor_header = aws_encryption_sdk.encrypt( source=my_plaintext, key_provider=kms_key_provider) decrypted_plaintext, decryptor_header = aws_encryption_sdk.decrypt( source=my_ciphertext, key_provider=kms_key_provider) assert my_plaintext == decrypted_plaintext.decode('ascii') assert encryptor_header.encryption_context == decryptor_header.encryption_context
import aws_encryption_sdk import datetime, os, sys key_id = sys.argv[1] cipher_filename = sys.argv[2] decrypted_file = sys.argv[3] kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[ key_id ]) print("Encrypted file to be decrypted: %s" % cipher_filename) print("Details: %s" % os.stat(cipher_filename)) start = datetime.datetime.now() print("Starting at %s" % start) with open(cipher_filename, 'rb') as ct_file, open(decrypted_file, 'wb') as pt_file: with aws_encryption_sdk.stream( mode='d', source=ct_file, key_provider=kms_key_provider ) as decryptor: for chunk in decryptor: pt_file.write(chunk) print("File decrypted: %s" % decrypted_file) print("Details: %s" % os.stat(decrypted_file)) end = datetime.datetime.now()
def main(): """ ################################### # client side encryption # ################################### """ try: az = subprocess.check_output([ 'curl', '-s', 'http://169.254.169.254/latest/meta-data/placement/availability-zone' ]) list_az = az.split('-') region = list_az[0] + '-' + list_az[1] + '-' + list_az[2][0] ####################################################################### # The kmsmasterkeyprovider class is used to store the reference to # # the customer master key # # # # The key alias kms_key_cse_usecase_3 that we created in the # # kms_key_creation.py is being used here # ####################################################################### botocore_session = botocore.session.Session() botocore_session.set_config_variable('region', region) kms_kwargs = dict(key_ids=['alias/kms_key_cse_usecase_3']) if botocore_session is not None: kms_kwargs["botocore_session"] = botocore_session kms_master__key_provider = aws_encryption_sdk.KMSMasterKeyProvider( **kms_kwargs) ################################################################ # # # Reference to plain text file, client side encrypted file, # # and plaintext cycled file # # # # plain text cycled means that file was encrypted and then # # decrypted into plaintext # # # ################################################################ current_directory_path = os.path.dirname( os.path.realpath(__file__)) + '/' plaintext_filename_path = current_directory_path + 'plaintext_u.txt' encrypted_filename = 'encrypted_e.txt' encrypted_filename_path = current_directory_path + encrypted_filename plaintext_cycled_filename_path = current_directory_path + 'plaintext_u_cycled.txt' encryption_context = {'whatfor': 'usecase-3-cse'} ######################################################################################### # encrypt client side using a kms key and cipher text is put into encrypted_e.txt # ######################################################################################### with open(plaintext_filename_path, 'rb') as plaintext, open(encrypted_filename_path, 'wb') as ciphertext: with aws_encryption_sdk.stream( mode='e', source=plaintext, key_provider=kms_master__key_provider, encryption_context=encryption_context) as encryptor: for chunk in encryptor: ciphertext.write(chunk) ################################################################# # Decrypt the s3 cycled file encrypted_e.txt # # The decrypted file is called plaintext_u_cycled.txt # ################################################################# with open(encrypted_filename_path, 'rb') as ciphertext, open(plaintext_cycled_filename_path, 'wb') as plaintext: with aws_encryption_sdk.stream( mode='d', source=ciphertext, key_provider=kms_master__key_provider) as decryptor: #print decryptor.header.encryption_context for chunk in decryptor: plaintext.write(chunk) print "\nModule run was successful !!" print "\nYou should see the client side encrypted file encrypted_e.txt !!" print "\nYou should see the cycled file plaintext_u_cycled.txt !!" print "\n Step 2 completed successfully" except: print "Unexpected error:", sys.exc_info()[0] raise else: exit(0)
def cycle_file(key_arn, source_plaintext_filename, botocore_session=None): """Encrypts and then decrypts a file using a KMS master key provider and a custom static master key provider. Both master key providers are used to encrypt the plaintext file, so either one alone can decrypt it. :param str key_arn: Amazon Resource Name (ARN) of the KMS Customer Master Key (CMK) (http://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html) :param str source_plaintext_filename: Filename of file to encrypt :param botocore_session: existing botocore session instance :type botocore_session: botocore.session.Session """ # "Cycled" means encrypted and then decrypted ciphertext_filename = source_plaintext_filename + ".encrypted" cycled_kms_plaintext_filename = source_plaintext_filename + ".kms.decrypted" cycled_static_plaintext_filename = source_plaintext_filename + ".static.decrypted" # Create a KMS master key provider kms_kwargs = dict(key_ids=[key_arn]) if botocore_session is not None: kms_kwargs["botocore_session"] = botocore_session kms_master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider( **kms_kwargs) # Create a static master key provider and add a master key to it static_key_id = os.urandom(8) static_master_key_provider = StaticRandomMasterKeyProvider() static_master_key_provider.add_master_key(static_key_id) # Add the static master key provider to the AWS KMS master key provider # The resulting master key provider uses AWS KMS master keys to generate (and encrypt) # data keys and static master keys to create an additional encrypted copy of each data key. kms_master_key_provider.add_master_key_provider(static_master_key_provider) # Encrypt plaintext with both AWS KMS and static master keys with open(source_plaintext_filename, "rb") as plaintext, open(ciphertext_filename, "wb") as ciphertext: with aws_encryption_sdk.stream( source=plaintext, mode="e", key_provider=kms_master_key_provider) as encryptor: for chunk in encryptor: ciphertext.write(chunk) # Decrypt the ciphertext with only the AWS KMS master key with open(ciphertext_filename, "rb") as ciphertext, open(cycled_kms_plaintext_filename, "wb") as plaintext: with aws_encryption_sdk.stream( source=ciphertext, mode="d", key_provider=aws_encryption_sdk.KMSMasterKeyProvider( **kms_kwargs)) as kms_decryptor: for chunk in kms_decryptor: plaintext.write(chunk) # Decrypt the ciphertext with only the static master key with open(ciphertext_filename, "rb") as ciphertext, open(cycled_static_plaintext_filename, "wb") as plaintext: with aws_encryption_sdk.stream( source=ciphertext, mode="d", key_provider=static_master_key_provider) as static_decryptor: for chunk in static_decryptor: plaintext.write(chunk) # Verify that the "cycled" (encrypted, then decrypted) plaintext is identical to the source plaintext assert filecmp.cmp(source_plaintext_filename, cycled_kms_plaintext_filename) assert filecmp.cmp(source_plaintext_filename, cycled_static_plaintext_filename) # Verify that the encryption context in the decrypt operation includes all key pairs from the # encrypt operation. # # In production, always use a meaningful encryption context. In this sample, we omit the # encryption context (no key pairs). assert all(pair in kms_decryptor.header.encryption_context.items() for pair in encryptor.header.encryption_context.items()) assert all(pair in static_decryptor.header.encryption_context.items() for pair in encryptor.header.encryption_context.items()) return (ciphertext_filename, cycled_kms_plaintext_filename, cycled_static_plaintext_filename)