def run(self, _in, _out):
if _in == '-':
secrets = sys.stdin.read()
else:
with open(os.path.join(_in), 'r') as f:
secrets = f.read()
client = confidant.clients.get_boto_client(
'kms',
endpoint_url=settings.KMS_URL,
)
data_key = cryptolib.create_datakey(
{'type': 'bootstrap'},
settings.KMS_MASTER_KEY,
client=client,
)
f = Fernet(data_key['plaintext'])
data = {
'data_key':
base64.b64encode(data_key['ciphertext'], ).decode('utf-8'),
'secrets': f.encrypt(secrets.encode('utf-8')).decode('utf-8'),
}
data = json.dumps(data)
if _out == '-':
print(data)
else:
with open(os.path.join(_out), 'w') as f:
f.write(data)
def create_datakey(encryption_context):
'''
Create a datakey from KMS.
'''
# Disabled encryption is dangerous, so we don't use falsiness here.
if app.config['USE_ENCRYPTION'] is False:
logging.warning('Creating a mock datakey in keymanager.create_datakey.'
' If you are not running in a development or test'
' environment, this should not be happening!')
return cryptolib.create_mock_datakey()
# underlying lib does generate random and encrypt, so increment by 2
stats.incr('at_rest_action', 2)
return cryptolib.create_datakey(
encryption_context,
'alias/{0}'.format(app.config.get('KMS_MASTER_KEY')))
def create_datakey(encryption_context):
'''
Create a datakey from KMS.
'''
# Disabled encryption is dangerous, so we don't use falsiness here.
if app.config['USE_ENCRYPTION'] is False:
logging.warning('Creating a mock datakey in keymanager.create_datakey.'
' If you are not running in a development or test'
' environment, this should not be happening!')
return cryptolib.create_mock_datakey()
# underlying lib does generate random and encrypt, so increment by 2
stats.incr('at_rest_action', 2)
return cryptolib.create_datakey(
encryption_context,
'alias/{0}'.format(app.config.get('KMS_MASTER_KEY'))
)
def create_datakey(encryption_context):
'''
Create a datakey from KMS.
'''
at_rest_kms_client = _get_at_rest_kms_client()
# Disabled encryption is dangerous, so we don't use falsiness here.
if settings.USE_ENCRYPTION is False:
logger.warning(
'Creating a mock datakey in keymanager.create_datakey. If you are'
' not running in a development or test environment, this should not'
' be happening!')
return cryptolib.create_mock_datakey()
# underlying lib does generate random and encrypt, so increment by 2
stats.incr('at_rest_action', 2)
return cryptolib.create_datakey(encryption_context,
settings.KMS_MASTER_KEY,
client=at_rest_kms_client)
def run(self, _in, _out):
if _in == '-':
secrets = sys.stdin.read()
else:
with open(os.path.join(_in), 'r') as f:
secrets = f.read()
data_key = cryptolib.create_datakey({'type': 'bootstrap'},
'alias/{0}'.format(
app.config['KMS_MASTER_KEY']))
f = Fernet(data_key['plaintext'])
data = {
'data_key': base64.b64encode(data_key['ciphertext']),
'secrets': f.encrypt(secrets.encode('utf-8'))
}
data = json.dumps(data)
if _out == '-':
print data
else:
with open(os.path.join(_out), 'w') as f:
f.write(data)