AWS Encryption CLIのdockerイメージ
[https://hub.docker.com/repository/docker/wandta/aws-encryption-cli:embed:cite]
KMSキー作る
via terraform
resource "aws_kms_key" "example" {
description = "example for encryption cli"
deletion_window_in_days = 7
}
output "kms_arn" {
value = aws_kms_key.example.arn
}terraform applyOutputs:
kms_arn = arn:aws:kms:ap-northeast-1:646279979860:key/800f80fd-25a4-46f8-b644-575dbde93436暗号化
- 先ほど作成したKMSキーのARNを指定
echo hogehoge > hoge.txt
mkdir output
aws-encryption-cli --encrypt \
--input hoge.txt \
--master-keys key=arn:aws:kms:ap-northeast-1:646279979860:key/800f80fd-25a4-46f8-b644-575dbde93436 \
--metadata-output metadata \
--encryption-context purpose=test \
--output output/cat metadata{"header": {"algorithm": "AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384", "content_type": 2, "encrypted_data_keys": [{"encrypted_data_key": "AQIBAHgOefrQi/oreXkYHHBn4xmpGjh4UggwNMzAjbvuEJQ0jwGs9NarJsIjfOz8P4VM6k8dAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMWshZQ7jqQEJDXhlkAgEQgDvcKeNGFTvOPBw5Orlkhqa7aQ1s8FXF5Zfo1P8LNkD86jqQEph+3/n/3RZpuXM2WwdvMml8nF6snCTIaA==", "key_provider": {"key_info": "YXJuOmF3czprbXM6YXAtbm9ydGhlYXN0LTE6NjQ2Mjc5OTc5ODYwOmtleS84MDBmODBmZC0yNWE0LTQ2ZjgtYjY0NC01NzVkYmRlOTM0MzY=", "provider_id": "YXdzLWttcw=="}}], "encryption_context": {"aws-crypto-public-key": "AjxhNYI7jOcf8IgBt5bhgcNbVNvDbigwU4jsf8iKwgHvwaop5g/EdYbJ/+RWv56n9w==", "purpose": "test"}, "frame_length": 4096, "header_iv_length": 12, "message_id": "SuT756Z3mTz+nE+cudYdTA==", "type": 128, "version": "1.0"}, "input": "/work/hoge.txt", "mode": "encrypt", "output": "/work/output/hoge.txt.encrypted"}ls -lA outputtotal 4
-rw-r--r-- 1 root root 603 Mar 20 01:34 hoge.txt.encrypted復号
- encryptedファイル自体に鍵の情報があるのでARN不要
mkdir decrypted
aws-encryption-cli --decrypt \
--input output/hoge.txt.encrypted \
--metadata-output metadata \
--output decrypted/cat metadata{"header": {"algorithm": "AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384", "content_type": 2, "encrypted_data_keys": [{"encrypted_data_key": "AQIBAHgOefrQi/oreXkYHHBn4xmpGjh4UggwNMzAjbvuEJQ0jwGs9NarJsIjfOz8P4VM6k8dAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMWshZQ7jqQEJDXhlkAgEQgDvcKeNGFTvOPBw5Orlkhqa7aQ1s8FXF5Zfo1P8LNkD86jqQEph+3/n/3RZpuXM2WwdvMml8nF6snCTIaA==", "key_provider": {"key_info": "YXJuOmF3czprbXM6YXAtbm9ydGhlYXN0LTE6NjQ2Mjc5OTc5ODYwOmtleS84MDBmODBmZC0yNWE0LTQ2ZjgtYjY0NC01NzVkYmRlOTM0MzY=", "provider_id": "YXdzLWttcw=="}}], "encryption_context": {"aws-crypto-public-key": "AjxhNYI7jOcf8IgBt5bhgcNbVNvDbigwU4jsf8iKwgHvwaop5g/EdYbJ/+RWv56n9w==", "purpose": "test"}, "frame_length": 4096, "header_iv_length": 12, "message_id": "SuT756Z3mTz+nE+cudYdTA==", "type": 128, "version": "1.0"}, "input": "/work/hoge.txt", "mode": "encrypt", "output": "/work/output/hoge.txt.encrypted"}
{"header": {"algorithm": "AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384", "content_type": 2, "encrypted_data_keys": [{"encrypted_data_key": "AQIBAHgOefrQi/oreXkYHHBn4xmpGjh4UggwNMzAjbvuEJQ0jwGs9NarJsIjfOz8P4VM6k8dAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMWshZQ7jqQEJDXhlkAgEQgDvcKeNGFTvOPBw5Orlkhqa7aQ1s8FXF5Zfo1P8LNkD86jqQEph+3/n/3RZpuXM2WwdvMml8nF6snCTIaA==", "key_provider": {"key_info": "YXJuOmF3czprbXM6YXAtbm9ydGhlYXN0LTE6NjQ2Mjc5OTc5ODYwOmtleS84MDBmODBmZC0yNWE0LTQ2ZjgtYjY0NC01NzVkYmRlOTM0MzY=", "provider_id": "YXdzLWttcw=="}}], "encryption_context": {"aws-crypto-public-key": "AjxhNYI7jOcf8IgBt5bhgcNbVNvDbigwU4jsf8iKwgHvwaop5g/EdYbJ/+RWv56n9w==", "purpose": "test"}, "frame_length": 4096, "header_iv_length": 12, "message_id": "SuT756Z3mTz+nE+cudYdTA==", "type": 128, "version": "1.0"}, "header_auth": {"iv": "AAAAAAAAAAAAAAAA", "tag": "XC0i2Rm3k/ZX/dkKqLno9g=="}, "input": "/work/output/hoge.txt.encrypted", "mode": "decrypt", "output": "/work/decrypted/hoge.txt.encrypted.decrypted"}cat decrypted/hoge.txt.encrypted.decryptedhogehoge