def _kms(options):
if options['profile'] != '':
conn = kms.connect_to_region(options['region'], profile_name=options['profile'])
else:
conn = kms.connect_to_region(options['region'], aws_access_key_id=options['AWS_ACCESS_KEY_ID'], aws_secret_access_key=options['AWS_SECRET_ACCESS_KEY'])
if options['action'] == 'list':
(key_id, key_arn) = _kms_find(conn, options)
if key_id != None:
print key_arn
elif options['action'] == 'create':
_kms_create(conn, options)
elif options['action'] == 'disable':
_kms_disable(conn, options)
def main():
if 'KMS_KEY_ID' not in os.environ:
print("ERROR: The KMS_KEY_ID environment variable is required. It \
is a unique identifier of the customer master. This can be an \
ARN, an alias, or the Key ID.", file=sys.stderr)
return
else:
key_id = os.environ['KMS_KEY_ID']
if 'KMS_EC2_REGION' in os.environ:
region = os.environ['KMS_EC2_REGION']
elif 'EC2_REGION' in os.environ:
region = os.environ['EC2_REGION']
else:
region = 'us-east-1'
try:
kms = connect_to_region(region)
plaintext_password = ''.join(random.SystemRandom().choice(string.digits
+ string.letters + string.punctuation) for _ in xrange(PASSWORD_LENGTH))
encryption_dict = kms.encrypt(key_id, plaintext_password)
encrypted_password = b64encode(encryption_dict['CiphertextBlob'])
print(plaintext_password)
print("Encrypted password:\n" + encrypted_password, file=sys.stderr)
except NotFoundException, e:
print("ERROR: Key not found. Is it in {0}?".format(region), file=sys.stderr)
def main():
if 'KMS_ENCRYPTED_PASSWORD' not in os.environ:
print(
"ERROR: The KMS_ENCRYPTED_PASSWORD environment variable is required.",
file=sys.stderr)
return
else:
encrypted_password = os.environ['KMS_ENCRYPTED_PASSWORD']
if 'KMS_EC2_REGION' in os.environ:
region = os.environ['KMS_EC2_REGION']
elif 'EC2_REGION' in os.environ:
region = os.environ['EC2_REGION']
else:
region = 'us-east-1'
try:
kms = connect_to_region(region)
password = kms.decrypt(b64decode(encrypted_password))
print(password['Plaintext'])
except Exception, e:
print("ERROR: Decryption failed. Do you have permission to decrypt?",
file=sys.stderr)
def decrypt(value):
kms_obj = kms.connect_to_region(
os.environ.get('AWS_DEFAULT_REGION'))
try:
plaintext = kms_obj.decrypt(unhexlify(value))['Plaintext']
except Exception, e:
raise Exception('Unable to decrypt value: {}'.format(e))
def _connect_kms(self):
"""
Attempts to get a KMSConnection first from sts. If sts is not configured, then it will obtain a connection using
the configured profile (if profile is not configured default is used)
"""
boto.connect_kms()
if self.sts:
self.kms = kms.connect_to_region(self.config.region,
aws_access_key_id=self.sts["access_key"],
aws_secret_access_key=self.sts["secret_key"],
security_token=self.sts["session_token"])
elif self.config.aws_profile:
self.kms = kms.connect_to_region(self.config.region, profile_name=self.config.aws_profile)
else:
self.kms = kms.connect_to_region(self.config.region)
def kms_decrypt_data(aws_data, encrypted_data, ciphertext_blob):
"""Decrypt data"""
conn = kms.connect_to_region(aws_data['region'])
decrypted_key = conn.decrypt(ciphertext_blob).get('Plaintext')
crypter = AES.new(decrypted_key)
return crypter.decrypt(base64.b64decode(encrypted_data)).rstrip()
def kms_encrypt_data(aws_data, plaintext_message):
"""Encrypt plaintext"""
conn = kms.connect_to_region(aws_data['region'])
arn = get_arn(aws_data)
data_key = conn.generate_data_key(arn, key_spec='AES_128')
ciphertext_blob = data_key.get('CiphertextBlob')
plaintext_key = data_key.get('Plaintext')
# Note, does not use IV or specify mode... for demo purposes only.
crypter = AES.new(plaintext_key)
encrypted_data = base64.b64encode(crypter.encrypt(pad(plaintext_message)))
# Need to preserve both of these data elements
return encrypted_data, ciphertext_blob
def main():
if 'KMS_ENCRYPTED_PASSWORD' not in os.environ:
print("ERROR: The KMS_ENCRYPTED_PASSWORD environment variable is required.", file=sys.stderr)
return
else:
encrypted_password = os.environ['KMS_ENCRYPTED_PASSWORD']
if 'KMS_EC2_REGION' in os.environ:
region = os.environ['KMS_EC2_REGION']
elif 'EC2_REGION' in os.environ:
region = os.environ['EC2_REGION']
else:
region = 'us-east-1'
try:
kms = connect_to_region(region)
password = kms.decrypt(b64decode(encrypted_password))
print(password['Plaintext'])
except Exception, e:
print("ERROR: Decryption failed. Do you have permission to decrypt?", file=sys.stderr)
def main():
global VERSION
parser = argparse.ArgumentParser(prog="kms-client")
parser.add_argument('-v', '--version', action='version',
version="%(prog)s %(VERSION)s" %
{ 'prog': sys.argv[0], 'VERSION': VERSION }
)
ek_group = parser.add_mutually_exclusive_group()
ek_group.add_argument('-e', '--encrypt', action='store_true',
help="Encrypt the data")
ek_group.add_argument('-d', '--decrypt', action='store_true',
help="Decrypt the data")
parser.add_argument('-k', '--key', action="store",
help="The key alias, id, or arn to use for encryption")
parser.add_argument('-r', '--region', action='store',
default="us-east-1", help="Region to connect to")
parser.add_argument("infile", action="store", default="-",
type=argparse.FileType('r+b'),
help="File to encrypt or decrypt, - for stdin/out")
parser.add_argument("outfile", action="store", default="-",
type=argparse.FileType('wb'),
help="File to encrypt or decrypt, - for stdin/out")
args = vars(parser.parse_args())
if args['encrypt'] and args['key'] is None:
logging.error("Must provide a key for encryption")
sys.exit(1)
con = kms.connect_to_region(args['region'])
with args['outfile'] as out:
indata = args['infile'].read()
datalen = len(indata)
if args['encrypt']:
if datalen >= 4096:
keydata = con.generate_data_key(args['key'], key_spec='AES_128')
iv_seed = con.generate_random(1024)['Plaintext']
iv = hashlib.md5(iv_seed).digest()
out.write(struct.pack('!Q', datalen))
out.write(iv)
out.write(keydata['CiphertextBlob'])
enc = AES.new(keydata['Plaintext'], AES.MODE_CBC, iv)
del keydata
chunk = 0
while chunk * 16 < datalen:
if datalen - chunk * 16 < 0:
indata.append('*' * abs(datalen - chunk * 16))
out.write(enc.encrypt(indata[chunk*16:chunk*16+16]))
chunk += 1
else:
ciphertext = con.encrypt(args['key'], indata)
out.write(ciphertext['CiphertextBlob'])
elif args['decrypt']:
# Encrypted keys are 188 bytes
qsize = struct.calcsize('Q')
if datalen - (qsize + 188) >= 4096:
payloadsize = struct.unpack('!Q', indata[0:qsize])[0]
iv = indata[qsize:qsize+16]
keydata = con.decrypt(indata[qsize+16:qsize+16+188])
encdata = bytes(indata[qsize+16+188:])
enclen = len(encdata)
data = b''
chunk = 0
dec = AES.new(keydata['Plaintext'], AES.MODE_CBC, iv)
del keydata
while chunk * 16 <= enclen:
data += dec.decrypt(encdata[chunk*16:chunk*16+16])
chunk += 1
out.write(data[:payloadsize])
else:
plaintext = con.decrypt(indata)
out.write(plaintext['Plaintext'])
else:
logging.error("Must provide either -e or -d")
sys.exit(1)
def __init__(self, region="eu-west-1"):
self.conn = kms.connect_to_region(region)
def __init__(self, region="eu-west-1"):
self.conn = kms.connect_to_region(region)
def __init__(self, config): self.conn = kms.connect_to_region(config["region"])
def encrypt(data):
fileinfo = open(data['path'])
info = fileinfo.read()
conn = kms.connect_to_region(data['region'])
encrypted = conn.encrypt(key_id=data['arn'], plaintext=info)
return True, encrypted['CiphertextBlob']