def encryptionSDKDemo():
import aws_encryption_sdk
#
# AWS Encryption SDK works with arbitrary length text
#
plaintext = 'This is a very long text document'
#
# The MKP object contains reference to master keys
#
mkp = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[MASTER_KEY_ARN])
encryption_context = {'data_type': 'example', 'classification': 'public'}
#
# Let's encrypt the plaintext data
#
ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
source=plaintext,
key_provider=mkp,
encryption_context=encryption_context)
#
# Let's decrypt the ciphertext data
#
decrypted_plaintext, decryptor_header = aws_encryption_sdk.decrypt(
source=ciphertext, key_provider=mkp)
print(decrypted_plaintext.decode('utf-8'))
def encrypt_file(self, source_file_name, target_file_name):
"""
Encrypt a file using aws_encryption SDK and a KMS key
:param source_file_name: File name (path) to encrypt
:type source_file_name: str
:param target_file_name: File name (path) to be used as target encrypted file. Use to be a NamedTemporaryFile
:type target_file_name: str
"""
logging.info('Open a AWS session for KMS actions using ')
kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(
config=self.get_conn(), key_ids=[self.aws_kms_key_arn])
with open(source_file_name,
'rb') as pt_file, open(target_file_name, 'wb') as ct_file:
with aws_encryption_sdk.stream(mode='e',
source=pt_file,
key_provider=kms_key_provider,
frame_length=1024) as encryptor:
for chunk in encryptor:
ct_file.write(chunk)
logging.info('Comparing source and target files:')
logging.info('Source file size: {}kb'.format(
os.stat(source_file_name).st_size >> 10))
logging.info('Source file type: [{}]'.format(
magic.from_file(source_file_name)))
logging.info('Taget file size: {}kb'.format(
os.stat(target_file_name).st_size >> 10))
logging.info('Target file type: [{}]'.format(
magic.from_file(target_file_name)))
return target_file_name
def EncryptionSdkDemo():
session = botocore.session.Session(profile=PROFILE_NAME)
kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(
botocore_session=session,
key_ids=[MASTER_KEY_ARN],
region_names=[REGION])
plainText = b"This is my secret data"
encryptionContext = {'type': 'password', 'env': 'dev'}
# SDK kullanarak bizim icin olusturulan datakey ile ciphertextimizi elde ediyoruz.
cipherText, encryption_header = aws_encryption_sdk.encrypt(
source=plainText,
encryption_context=encryptionContext,
key_provider=kms_key_provider)
# print("Encrypted data= ", base64.b64encode(cipherText))
print("Encrypt edildi")
decryptedText, decryption_header = aws_encryption_sdk.decrypt(
source=cipherText, key_provider=kms_key_provider)
# Encryption contextimiz decryption_header icerisinde.
print(decryption_header.encryption_context)
print('Decrypted Text= ', decryptedText)
assert plainText == decryptedText
def initialize() -> DocumentBucketOperations:
"""
Configure a Document Bucket API automatically with resources bootstrapped
by CloudFormation.
"""
# Load the pointers to CloudFormation resources that you just deployed
state = toml.load(os.path.expanduser(
config["base"]["state_file"]))["state"]
# Now you have the identifiers of the CloudFormation resources loaded,
# Set up your S3 Bucket for the Document Bucket
bucket = boto3.resource("s3").Bucket(state["DocumentBucket"])
# Set up your DynamoDB Table for the Document Bucket
table = boto3.resource("dynamodb").Table(state["DocumentTable"])
# ADD-ESDK-COMPLETE: Configure the Faythe CMK in the Encryption SDK
# Pull configuration of KMS resources
faythe_cmk = state["FaytheCMK"]
# And the Master Key Provider configuring how to use KMS
cmk = [faythe_cmk]
mkp = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=cmk)
# Set up the API to interact with the Document Bucket using all these resources
# ADD-ESDK-COMPLETE
operations = DocumentBucketOperations(bucket, table, mkp)
return operations
def cycle_string(key_arn, source_plaintext, botocore_session=None):
"""Encrypts and then decrypts a string under a KMS customer master key (CMK)
:param str key_arn: Amazon Resource Name (Arn) of the KMS CMK
:param bytes source_plaintext: Data to encrypt
:param botocore_session: existing botocore session instance
:type botocore_session: botocore.session.Session
"""
# Create the KMS Master Key Provider
kms_kwargs = dict(key_ids=[key_arn])
if botocore_session is not None:
kms_kwargs['botocore_session'] = botocore_session
master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs)
# Encrypt the source plaintext
ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
source=source_plaintext, key_provider=master_key_provider)
print('Ciphertext: ', ciphertext)
# Decrypt the ciphertext
cycled_plaintext, decrypted_header = aws_encryption_sdk.decrypt(
source=ciphertext, key_provider=master_key_provider)
# Validate that the cycled plaintext is identical to the source plaintext
assert cycled_plaintext == source_plaintext
# Validate that the encryption context used by the decryptor has all the key-pairs from the encryptor
assert all(pair in decrypted_header.encryption_context.items()
for pair in encryptor_header.encryption_context.items())
print('Decrypted: ', cycled_plaintext)
def encrypt_decrypt(key_arn, source_plaintext, botocore_session=None):
"""Encrypts and then decrypts a string under one KMS customer master key (CMK).
:param str key_arn: Amazon Resource Name (ARN) of the KMS CMK
:param bytes source_plaintext: Data to encrypt
:param botocore_session: existing botocore session instance
:type botocore_session: botocore.session.Session
"""
kwargs = dict(key_ids=[key_arn])
if botocore_session is not None:
kwargs["botocore_session"] = botocore_session
# Create master key provider using the ARN of the key and the session (botocore_session)
kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs)
# Encrypt the plaintext using the AWS Encryption SDK. It returns the encrypted message and the header
ciphertext, encrypted_message_header = aws_encryption_sdk.encrypt(
source=source_plaintext, key_provider=kms_key_provider)
# Decrypt the encrypted message using the AWS Encryption SDK. It returns the decrypted message and the header
plaintext, decrypted_message_header = aws_encryption_sdk.decrypt(
source=ciphertext, key_provider=kms_key_provider)
# Check if the original message and the decrypted message are the same
assert source_plaintext == plaintext
# Check if the headers of the encrypted message and decrypted message match
assert all(pair in encrypted_message_header.encryption_context.items()
for pair in decrypted_message_header.encryption_context.items())
def cycle_string(key_arn, source_plaintext, botocore_session=None):
"""Encrypts and then decrypts a string under a KMS customer master key (CMK).
:param str key_arn: Amazon Resource Name (ARN) of the KMS CMK
:param bytes source_plaintext: Data to encrypt
:param botocore_session: existing botocore session instance
:type botocore_session: botocore.session.Session
"""
# Create a KMS master key provider
kms_kwargs = dict(key_ids=[key_arn])
if botocore_session is not None:
kms_kwargs['botocore_session'] = botocore_session
master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs)
# Encrypt the plaintext source data
ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
source=source_plaintext, key_provider=master_key_provider)
# Decrypt the ciphertext
cycled_plaintext, decrypted_header = aws_encryption_sdk.decrypt(
source=ciphertext, key_provider=master_key_provider)
# Verify that the "cycled" (encrypted, then decrypted) plaintext is identical to the source plaintext
assert cycled_plaintext == source_plaintext
# Verify that the encryption context used in the decrypt operation includes all key pairs from
# the encrypt operation. (The SDK can add pairs, so don't require an exact match.)
#
# In production, always use a meaningful encryption context. In this sample, we omit the
# encryption context (no key pairs).
assert all(pair in decrypted_header.encryption_context.items()
for pair in encryptor_header.encryption_context.items())
def init_kms():
# kms_key_provider is essentially a session and a key arn
kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
CMK_ARN
])
return kms_key_provider
def construct_multiregion_kms_master_key_provider(self, key_id_east,
key_id_west):
kms_master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider()
kms_master_key_provider.add_master_key(key_id_west)
kms_master_key_provider.add_master_key(key_id_east)
return kms_master_key_provider
def get_key_provider(cmk_arn, profile):
if cmk_arn:
kms_kwargs = dict(key_ids=[cmk_arn])
else:
kms_kwargs = dict()
if profile is not None:
kms_kwargs['botocore_session'] = botocore.session.Session(
profile=profile)
return aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs)
def get_master_key_provider(cls, key_id=None):
if not cls._MASTER_KEY_PROVIDER:
import aws_encryption_sdk
cls._MASTER_KEY_PROVIDER = aws_encryption_sdk.KMSMasterKeyProvider(
)
if key_id and key_id not in cls._MASTER_KEYS:
cls._MASTER_KEY_PROVIDER.add_master_key(key_id)
cls._MASTER_KEYS.add(key_id)
return cls._MASTER_KEY_PROVIDER
def set_key_provider(self):
'called by en(de)crypt_it(), get the master key provider'
if (len(self.enc_regions)) <= 0 or (len(self.master_keys) <= 0):
raise Exception('Region or Master Keys not set')
try:
self.key_provider = aes.KMSMasterKeyProvider(
botocore_session=self.kms,
key_ids=self.master_keys,
region_names=self.enc_regions)
except Exception as e:
raise Exception('Could not set key_provider', e)
def decrypt(ciphertext, botocore_session=None):
ciphertext = base64.b64decode(ciphertext.encode('utf-8'))
# Create a KMS master key provider.
kms_kwargs = dict(key_ids=[key_arn])
if botocore_session is not None:
kms_kwargs['botocore_session'] = botocore_session
master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs)
# Decrypt the ciphertext.
plaintext, decrypted_header = aws_encryption_sdk.decrypt(
source=ciphertext, key_provider=master_key_provider)
plaintext = plaintext.decode("utf-8")
return plaintext
def encrypt(plaintext, botocore_session=None):
plaintext = str(plaintext).encode('utf-8')
# Create a KMS master key provider.
kms_kwargs = dict(key_ids=[key_arn])
if botocore_session is not None:
kms_kwargs['botocore_session'] = botocore_session
master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs)
# Encrypt the plaintext source data.
ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
source=plaintext, key_provider=master_key_provider)
ciphertext = base64.b64encode(ciphertext).decode('utf-8')
return ciphertext
def encrypt_decrypt_stream(key_arn,
source_plaintext_filename,
botocore_session=None):
"""Encrypts and then decrypts streaming data under one KMS customer master key (CMK).
:param str key_arn: Amazon Resource Name (ARN) of the KMS CMK
:param str source_plaintext_filename: Filename of file to encrypt
:param botocore_session: existing botocore session instance
:type botocore_session: botocore.session.Session
"""
kwargs = dict()
kwargs["key_ids"] = [key_arn]
if botocore_session is not None:
kwargs["botocore_session"] = botocore_session
# Create master key provider using the ARN of the key and the session (botocore_session)
kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kwargs)
ciphertext_filename = source_plaintext_filename + ".encrypted"
decrypted_text_filename = source_plaintext_filename + ".decrypted"
# Encrypt the plaintext using the AWS Encryption SDK.
with open(source_plaintext_filename,
"rb") as plaintext, open(ciphertext_filename,
"wb") as ciphertext:
with aws_encryption_sdk.stream(
source=plaintext, mode="e",
key_provider=kms_key_provider) as encryptor:
for chunk in encryptor:
ciphertext.write(chunk)
# Decrypt the encrypted message using the AWS Encryption SDK.
with open(ciphertext_filename,
"rb") as ciphertext, open(decrypted_text_filename,
"wb") as plaintext:
with aws_encryption_sdk.stream(
source=ciphertext, mode="d",
key_provider=kms_key_provider) as decryptor:
for chunk in decryptor:
plaintext.write(chunk)
# Check if the original message and the decrypted message are the same
assert filecmp.cmp(source_plaintext_filename, decrypted_text_filename)
# Check if the headers of the encrypted message and decrypted message match
assert all(pair in encryptor.header.encryption_context.items()
for pair in decryptor.header.encryption_context.items())
return ciphertext_filename, decrypted_text_filename
def build_kms_master_key_provider(self, alias):
if not self.alias_exists(alias):
raise SystemExit('FATAL: alias %s does not exist in %s' % (
alias,
self.session.region_name,
))
arn_template = 'arn:aws:kms:{region}:{account_id}:{alias}'
kms_master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider()
account_id = self.session.client(
'sts').get_caller_identity()['Account']
kms_master_key_provider.add_master_key(
arn_template.format(region=self.session.region_name,
account_id=account_id,
alias=alias))
return kms_master_key_provider
def encrypt_with_caching(kms_cmk_arn, max_age_in_cache, cache_capacity):
"""Encrypts a string using an AWS KMS customer master key (CMK) and data key caching.
:param str kms_cmk_arn: Amazon Resource Name (ARN) of the KMS customer master key
:param float max_age_in_cache: Maximum time in seconds that a cached entry can be used
:param int cache_capacity: Maximum number of entries to retain in cache at once
"""
# Data to be encrypted
my_data = "My plaintext data"
# Security thresholds
# Max messages (or max bytes per) data key are optional
MAX_ENTRY_MESSAGES = 100
# Create an encryption context
encryption_context = {"purpose": "test"}
# Create a master key provider for the KMS customer master key (CMK)
key_provider = aws_encryption_sdk.KMSMasterKeyProvider(
key_ids=[kms_cmk_arn])
# Create a local cache
cache = aws_encryption_sdk.LocalCryptoMaterialsCache(cache_capacity)
# Create a caching CMM
caching_cmm = aws_encryption_sdk.CachingCryptoMaterialsManager(
master_key_provider=key_provider,
cache=cache,
max_age=max_age_in_cache,
max_messages_encrypted=MAX_ENTRY_MESSAGES,
)
# When the call to encrypt data specifies a caching CMM,
# the encryption operation uses the data key cache specified
# in the caching CMM
encrypted_message, _header = aws_encryption_sdk.encrypt(
source=my_data,
materials_manager=caching_cmm,
encryption_context=encryption_context)
return encrypted_message
def initialize() -> DocumentBucketOperations:
# Load the pointers to CloudFormation resources that you just deployed
state = toml.load(os.path.expanduser(
config["base"]["state_file"]))["state"]
# Now you have the identifiers of the CloudFormation resources loaded,
# Set up your S3 Bucket for the Document Bucket
bucket = boto3.resource("s3").Bucket(state["DocumentBucket"])
# Set up your DynamoDB Table for the Document Bucket
table = boto3.resource("dynamodb").Table(state["DocumentTable"])
# Pull configuration of KMS resources
faythe_cmk = state["FaytheCMK"]
walter_cmk = state["WalterCMK"]
# And the Master Key Provider configuring how to use KMS
cmk = [faythe_cmk, walter_cmk]
mkp = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[cmk])
# Set up the API to interact with the Document Bucket using all these resources
operations = DocumentBucketOperations(bucket, table, mkp)
return operations
def test_encrypted_payload_coding():
key_id = os.environ['KEY_ID']
session = boto3.Session()
mkp = aws_encryption_sdk.KMSMasterKeyProvider(
key_ids=[key_id], botocore_session=session._session)
payload = {
'iss': 'issuer',
'iat': 0,
'tid': 'asdf',
'exp': 0,
'token': 'jkljkl',
'action': {
'name': 'foo',
'type': 'success',
'output': {}
},
'param': False,
}
validate_payload_schema(payload)
encoded_payload = encode_payload(payload, mkp)
assert encoded_payload.startswith('2-')
decoded_payload = decode_payload(encoded_payload, mkp)
validate_payload_schema(decoded_payload)
assert_dicts_equal(payload, decoded_payload)
encoded_payload = encode_payload(payload, None)
assert encoded_payload.startswith('1-')
with pytest.raises(EncryptionRequired):
decoded_payload = decode_payload(encoded_payload, mkp)
encoded_payload = encode_payload(payload, mkp)
assert encoded_payload.startswith('2-')
with pytest.raises(DecryptionUnsupported):
decoded_payload = decode_payload(encoded_payload, None)
def _initialize_from_config(self, beaver_config, filename):
super(KmsEncrypter,
self)._initialize_from_config(beaver_config, filename)
if not aws_encryption_sdk:
raise SystemError(
'The use_aws_kms_encryption option is only supported for python >= 2.7'
)
kms_configs = _get_kms_config_values(beaver_config, filename)
kms_secret_key = kms_configs.aws_kms_secret_key
kms_access_key = kms_configs.aws_kms_access_key
kms_key_ids = kms_configs.aws_kms_key_ids
self.kms_encryption_context = kms_configs.aws_kms_encryption_context
if not kms_key_ids:
raise ValueError(
'You must provide at lease one CMS key for aws_kms_key_ids!')
if self.kms_encryption_context and not isinstance(
self.kms_encryption_context, dict):
raise ValueError(
'kms_encryption_context must be a flat map of key value pairs, or not provided.'
)
session = botocore.session.Session()
if kms_access_key and kms_secret_key:
session.set_credentials(kms_access_key, kms_secret_key)
else:
self.logger.info(
'Using default boto credentials locations for KMS access.')
self.kms_client = aws_encryption_sdk.KMSMasterKeyProvider(
botocore_session=session, key_ids=kms_key_ids)
def EncryptionSdkCacheDemo():
session = botocore.session.Session(profile=PROFILE_NAME)
kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(
botocore_session=session,
key_ids=[MASTER_KEY_ARN],
region_names=[REGION])
plainText = b"This is my secret data12"
encryptionContext = {'type': 'password', 'env': 'dev'}
# Create a local cache
cache = aws_encryption_sdk.LocalCryptoMaterialsCache(10)
# Create a caching CMM
caching_cmm = aws_encryption_sdk.CachingCryptoMaterialsManager(
master_key_provider=kms_key_provider,
cache=cache,
max_age=600.0,
max_messages_encrypted=10,
)
# SDK kullanarak bizim icin olusturulan datakey ile ciphertextimizi elde ediyoruz.
cipherText, encryption_header = aws_encryption_sdk.encrypt(
source=plainText,
encryption_context=encryptionContext,
materials_manager=caching_cmm)
# print("Encrypted data= ", base64.b64encode(cipherText))
decryptedText, decryption_header = aws_encryption_sdk.decrypt(
source=cipherText, materials_manager=caching_cmm)
# Encryption contextimiz decryption_header icerisinde.
# print(decryption_header.encryption_context)
print('Decrypted Text= ', decryptedText)
assert plainText == decryptedText
from os import getenv, remove, mkdir
from os.path import splitext, exists
from pathlib import Path
from shutil import rmtree
import aws_encryption_sdk
from dotenv import load_dotenv
from flask import Flask, render_template, request, send_file
load_dotenv(override=True)
application = Flask(__name__)
# identify KMS CMK
kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
getenv('KEY_ID_1')
])
# method for encrypting uploaded file
def encrypt_file(file):
ct_filename = str(file) + '.ct'
with open(file, 'rb') as pt_file, open(ct_filename, 'wb') as ct_file:
with aws_encryption_sdk.stream(
mode='e',
source=pt_file,
key_provider=kms_key_provider
) as encryptor:
for chunk in encryptor:
ct_file.write(chunk)
return ct_filename
def main():
"""
#############################################################
# Client side encryption with data key caching #
#############################################################
"""
try:
az = subprocess.check_output(['curl', '-s', 'http://169.254.169.254/latest/meta-data/placement/availability-zone'])
list_az = az.split('-')
region = list_az[0]+ '-' + list_az[1] + '-' + list_az[2][0]
s3_client = boto3.client('s3',region)
kms_client = boto3.client('kms',region)
#######################################################################
# #
# The kmsmasterkeyprovider class is used to store the reference to #
# the customer master key #
# #
# The key alias kms_key_cse_usecase_3 that we created in the #
# kms_key_creation.py is being used here #
# #
#######################################################################
botocore_session = botocore.session.Session()
botocore_session.set_config_variable('region', region)
kms_kwargs = dict(key_ids=['alias/kms_key_cse_usecase_3'])
if botocore_session is not None:
kms_kwargs["botocore_session"] = botocore_session
kms_master__key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs)
#############################################################
# Setup configuration parameters for the data key cache #
#############################################################
CACHE_CAPACITY = 100
MAX_ENTRY_AGE_SECONDS = 300.0
MAX_ENTRY_MESSAGES_ENCRYPTED = 2
########################################################################## #
# A local in memory cache is created with the configured cache #
# parameters #
##########################################################################
cache = LocalCryptoMaterialsCache(capacity=CACHE_CAPACITY)
crypto_materials_manager = CachingCryptoMaterialsManager(
master_key_provider=kms_master__key_provider,
cache=cache,
max_age=MAX_ENTRY_AGE_SECONDS,
max_messages_encrypted=MAX_ENTRY_MESSAGES_ENCRYPTED
)
################################################################
# #
# Reference to plain text file, client side encrypted file, #
# plaintext cycled file #
# #
# plain text cycled means that file was encrypted and then #
# decrypted into plaintext #
# #
################################################################
current_directory_path = os.path.dirname(os.path.realpath(__file__)) + '/'
plaintext_filename_path = current_directory_path + 'plaintext_u.txt'
encrypted_filename_1 = 'encrypted_e_1.txt'
encrypted_filename_path_1 = current_directory_path + encrypted_filename_1
encrypted_filename_2 = 'encrypted_e_2.txt'
encrypted_filename_path_2 = current_directory_path + encrypted_filename_2
plaintext_cycled_filename_path_1 = current_directory_path + 'plaintext_u_cycled_1.txt'
plaintext_cycled_filename_path_2 = current_directory_path + 'plaintext_u_cycled_2.txt'
encryption_context = {'whatfor':'usecase-3-cse'}
#########################################################################################
# encrypt client side using a kms key and cipher text is put into encrypted_e_1.txt #
#########################################################################################
with open(plaintext_filename_path, 'rb') as plaintext, open(encrypted_filename_path_1, 'wb') as ciphertext:
with aws_encryption_sdk.stream(
mode='e',
source=plaintext,
materials_manager=crypto_materials_manager,
encryption_context=encryption_context
) as encryptor:
for chunk in encryptor:
ciphertext.write(chunk)
##########################################################################################
# encrypt client side using a kms key and cipher text is put into encrypted_e_2.txt #
##########################################################################################
with open(plaintext_filename_path, 'rb') as plaintext, open(encrypted_filename_path_2, 'wb') as ciphertext:
with aws_encryption_sdk.stream(
mode='e',
source=plaintext,
materials_manager=crypto_materials_manager,
encryption_context=encryption_context
) as encryptor:
for chunk in encryptor:
ciphertext.write(chunk)
############################################################################################
# Decrypt the client side encrypted file encrypted_e_1.txt #
# The decrypted file is called plaintext_u_cycled_1.txt #
# #
# Decrypt the client side encrypted file encrypted_e_2.txt #
# The decrypted file is called plaintext_u_cycled_2.txt #
# #
# Check whether the plaintext_u.txt,plaintext_u_cycled_1.txt,plaintext_u_cycled_2.txt #
# have the same content #
############################################################################################
with open(encrypted_filename_path_1, 'rb') as ciphertext, open(plaintext_cycled_filename_path_1, 'wb') as plaintext:
with aws_encryption_sdk.stream(
mode='d',
source=ciphertext,
materials_manager=crypto_materials_manager
) as decryptor:
for chunk in decryptor:
plaintext.write(chunk)
with open(encrypted_filename_path_2, 'rb') as ciphertext, open(plaintext_cycled_filename_path_2, 'wb') as plaintext:
with aws_encryption_sdk.stream(
mode='d',
source=ciphertext,
materials_manager=crypto_materials_manager
) as decryptor:
for chunk in decryptor:
plaintext.write(chunk)
print "\nModule run was successful !!"
print "\nPlain text file plaintext_u.txt was encrypted twice !!"
print "\n Step 2 completed successfully"
except:
print "Unexpected error:", sys.exc_info()[0]
raise
else:
exit(0)
from __future__ import print_function
import time
import os
import sys
import aws_encryption_sdk
import boto3
s3 = boto3.client('s3')
s3_bucket_name = os.environ['s3_BUCKET_NAME ']
kms_key = os.environ['KMS CUSTOMER KEY']
kms_kwargs = dict(key_ids=[kms_key])
master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(**kms_kwargs)
def encrypt(plaintext, botocore_session=None):
#encrypt file
ciphertext, encryption_header = aws_encryption_sdk.encrypt(
plain=plaintext, key_provider=master_key_provider)
print('storing encrypt data in s3 bucket')
response = s3.put_object(body=ciphertext,
Bucket=s3_bucket_name,
key="encrypted_file.txt")
encrypt()
def _initialize_engine(self, parent_class_key):
self.secret_key = parent_class_key
self.kms_kwargs = dict(key_ids=[self.secret_key])
self.master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(
**self.kms_kwargs)
def _get_kms_provider():
return aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[CMK_KEY_ARN])
import aws_encryption_sdk
kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
'arn:aws:kms:us-east-1:873559269338:key/1e1a6a81-93e0-4b9a-954b-cc09802bf3ce'
])
my_plaintext = 'This is some super secret data! Yup, sure is!'
my_ciphertext, encryptor_header = aws_encryption_sdk.encrypt(
source=my_plaintext, key_provider=kms_key_provider)
decrypted_plaintext, decryptor_header = aws_encryption_sdk.decrypt(
source=my_ciphertext, key_provider=kms_key_provider)
assert my_plaintext == decrypted_plaintext.decode('ascii')
assert encryptor_header.encryption_context == decryptor_header.encryption_context
import aws_encryption_sdk
import datetime, os, sys
key_id = sys.argv[1]
cipher_filename = sys.argv[2]
decrypted_file = sys.argv[3]
kms_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(key_ids=[
key_id
])
print("Encrypted file to be decrypted: %s" % cipher_filename)
print("Details: %s" % os.stat(cipher_filename))
start = datetime.datetime.now()
print("Starting at %s" % start)
with open(cipher_filename, 'rb') as ct_file, open(decrypted_file, 'wb') as pt_file:
with aws_encryption_sdk.stream(
mode='d',
source=ct_file,
key_provider=kms_key_provider
) as decryptor:
for chunk in decryptor:
pt_file.write(chunk)
print("File decrypted: %s" % decrypted_file)
print("Details: %s" % os.stat(decrypted_file))
end = datetime.datetime.now()
def main():
"""
###################################
# client side encryption #
###################################
"""
try:
az = subprocess.check_output([
'curl', '-s',
'http://169.254.169.254/latest/meta-data/placement/availability-zone'
])
list_az = az.split('-')
region = list_az[0] + '-' + list_az[1] + '-' + list_az[2][0]
#######################################################################
# The kmsmasterkeyprovider class is used to store the reference to #
# the customer master key #
# #
# The key alias kms_key_cse_usecase_3 that we created in the #
# kms_key_creation.py is being used here #
#######################################################################
botocore_session = botocore.session.Session()
botocore_session.set_config_variable('region', region)
kms_kwargs = dict(key_ids=['alias/kms_key_cse_usecase_3'])
if botocore_session is not None:
kms_kwargs["botocore_session"] = botocore_session
kms_master__key_provider = aws_encryption_sdk.KMSMasterKeyProvider(
**kms_kwargs)
################################################################
# #
# Reference to plain text file, client side encrypted file, #
# and plaintext cycled file #
# #
# plain text cycled means that file was encrypted and then #
# decrypted into plaintext #
# #
################################################################
current_directory_path = os.path.dirname(
os.path.realpath(__file__)) + '/'
plaintext_filename_path = current_directory_path + 'plaintext_u.txt'
encrypted_filename = 'encrypted_e.txt'
encrypted_filename_path = current_directory_path + encrypted_filename
plaintext_cycled_filename_path = current_directory_path + 'plaintext_u_cycled.txt'
encryption_context = {'whatfor': 'usecase-3-cse'}
#########################################################################################
# encrypt client side using a kms key and cipher text is put into encrypted_e.txt #
#########################################################################################
with open(plaintext_filename_path,
'rb') as plaintext, open(encrypted_filename_path,
'wb') as ciphertext:
with aws_encryption_sdk.stream(
mode='e',
source=plaintext,
key_provider=kms_master__key_provider,
encryption_context=encryption_context) as encryptor:
for chunk in encryptor:
ciphertext.write(chunk)
#################################################################
# Decrypt the s3 cycled file encrypted_e.txt #
# The decrypted file is called plaintext_u_cycled.txt #
#################################################################
with open(encrypted_filename_path,
'rb') as ciphertext, open(plaintext_cycled_filename_path,
'wb') as plaintext:
with aws_encryption_sdk.stream(
mode='d',
source=ciphertext,
key_provider=kms_master__key_provider) as decryptor:
#print decryptor.header.encryption_context
for chunk in decryptor:
plaintext.write(chunk)
print "\nModule run was successful !!"
print "\nYou should see the client side encrypted file encrypted_e.txt !!"
print "\nYou should see the cycled file plaintext_u_cycled.txt !!"
print "\n Step 2 completed successfully"
except:
print "Unexpected error:", sys.exc_info()[0]
raise
else:
exit(0)
def cycle_file(key_arn, source_plaintext_filename, botocore_session=None):
"""Encrypts and then decrypts a file using a KMS master key provider and a custom static master
key provider. Both master key providers are used to encrypt the plaintext file, so either one alone
can decrypt it.
:param str key_arn: Amazon Resource Name (ARN) of the KMS Customer Master Key (CMK)
(http://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html)
:param str source_plaintext_filename: Filename of file to encrypt
:param botocore_session: existing botocore session instance
:type botocore_session: botocore.session.Session
"""
# "Cycled" means encrypted and then decrypted
ciphertext_filename = source_plaintext_filename + ".encrypted"
cycled_kms_plaintext_filename = source_plaintext_filename + ".kms.decrypted"
cycled_static_plaintext_filename = source_plaintext_filename + ".static.decrypted"
# Create a KMS master key provider
kms_kwargs = dict(key_ids=[key_arn])
if botocore_session is not None:
kms_kwargs["botocore_session"] = botocore_session
kms_master_key_provider = aws_encryption_sdk.KMSMasterKeyProvider(
**kms_kwargs)
# Create a static master key provider and add a master key to it
static_key_id = os.urandom(8)
static_master_key_provider = StaticRandomMasterKeyProvider()
static_master_key_provider.add_master_key(static_key_id)
# Add the static master key provider to the AWS KMS master key provider
# The resulting master key provider uses AWS KMS master keys to generate (and encrypt)
# data keys and static master keys to create an additional encrypted copy of each data key.
kms_master_key_provider.add_master_key_provider(static_master_key_provider)
# Encrypt plaintext with both AWS KMS and static master keys
with open(source_plaintext_filename,
"rb") as plaintext, open(ciphertext_filename,
"wb") as ciphertext:
with aws_encryption_sdk.stream(
source=plaintext, mode="e",
key_provider=kms_master_key_provider) as encryptor:
for chunk in encryptor:
ciphertext.write(chunk)
# Decrypt the ciphertext with only the AWS KMS master key
with open(ciphertext_filename,
"rb") as ciphertext, open(cycled_kms_plaintext_filename,
"wb") as plaintext:
with aws_encryption_sdk.stream(
source=ciphertext,
mode="d",
key_provider=aws_encryption_sdk.KMSMasterKeyProvider(
**kms_kwargs)) as kms_decryptor:
for chunk in kms_decryptor:
plaintext.write(chunk)
# Decrypt the ciphertext with only the static master key
with open(ciphertext_filename,
"rb") as ciphertext, open(cycled_static_plaintext_filename,
"wb") as plaintext:
with aws_encryption_sdk.stream(
source=ciphertext,
mode="d",
key_provider=static_master_key_provider) as static_decryptor:
for chunk in static_decryptor:
plaintext.write(chunk)
# Verify that the "cycled" (encrypted, then decrypted) plaintext is identical to the source plaintext
assert filecmp.cmp(source_plaintext_filename,
cycled_kms_plaintext_filename)
assert filecmp.cmp(source_plaintext_filename,
cycled_static_plaintext_filename)
# Verify that the encryption context in the decrypt operation includes all key pairs from the
# encrypt operation.
#
# In production, always use a meaningful encryption context. In this sample, we omit the
# encryption context (no key pairs).
assert all(pair in kms_decryptor.header.encryption_context.items()
for pair in encryptor.header.encryption_context.items())
assert all(pair in static_decryptor.header.encryption_context.items()
for pair in encryptor.header.encryption_context.items())
return (ciphertext_filename, cycled_kms_plaintext_filename,
cycled_static_plaintext_filename)
