AWS Encryption CLI触った
AWS Encryption CLIのdockerイメージ
KMSキー作る
via terraform
resource "aws_kms_key" "example" { description = "example for encryption cli" deletion_window_in_days = 7 } output "kms_arn" { value = aws_kms_key.example.arn }
terraform apply
Outputs: kms_arn = arn:aws:kms:ap-northeast-1:646279979860:key/800f80fd-25a4-46f8-b644-575dbde93436
暗号化
- 先ほど作成したKMSキーのARNを指定
echo hogehoge > hoge.txt mkdir output aws-encryption-cli --encrypt \ --input hoge.txt \ --master-keys key=arn:aws:kms:ap-northeast-1:646279979860:key/800f80fd-25a4-46f8-b644-575dbde93436 \ --metadata-output metadata \ --encryption-context purpose=test \ --output output/
cat metadata
{"header": {"algorithm": "AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384", "content_type": 2, "encrypted_data_keys": [{"encrypted_data_key": "AQIBAHgOefrQi/oreXkYHHBn4xmpGjh4UggwNMzAjbvuEJQ0jwGs9NarJsIjfOz8P4VM6k8dAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMWshZQ7jqQEJDXhlkAgEQgDvcKeNGFTvOPBw5Orlkhqa7aQ1s8FXF5Zfo1P8LNkD86jqQEph+3/n/3RZpuXM2WwdvMml8nF6snCTIaA==", "key_provider": {"key_info": "YXJuOmF3czprbXM6YXAtbm9ydGhlYXN0LTE6NjQ2Mjc5OTc5ODYwOmtleS84MDBmODBmZC0yNWE0LTQ2ZjgtYjY0NC01NzVkYmRlOTM0MzY=", "provider_id": "YXdzLWttcw=="}}], "encryption_context": {"aws-crypto-public-key": "AjxhNYI7jOcf8IgBt5bhgcNbVNvDbigwU4jsf8iKwgHvwaop5g/EdYbJ/+RWv56n9w==", "purpose": "test"}, "frame_length": 4096, "header_iv_length": 12, "message_id": "SuT756Z3mTz+nE+cudYdTA==", "type": 128, "version": "1.0"}, "input": "/work/hoge.txt", "mode": "encrypt", "output": "/work/output/hoge.txt.encrypted"}
ls -lA output
total 4 -rw-r--r-- 1 root root 603 Mar 20 01:34 hoge.txt.encrypted
復号
- encryptedファイル自体に鍵の情報があるのでARN不要
mkdir decrypted aws-encryption-cli --decrypt \ --input output/hoge.txt.encrypted \ --metadata-output metadata \ --output decrypted/
cat metadata
{"header": {"algorithm": "AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384", "content_type": 2, "encrypted_data_keys": [{"encrypted_data_key": "AQIBAHgOefrQi/oreXkYHHBn4xmpGjh4UggwNMzAjbvuEJQ0jwGs9NarJsIjfOz8P4VM6k8dAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMWshZQ7jqQEJDXhlkAgEQgDvcKeNGFTvOPBw5Orlkhqa7aQ1s8FXF5Zfo1P8LNkD86jqQEph+3/n/3RZpuXM2WwdvMml8nF6snCTIaA==", "key_provider": {"key_info": "YXJuOmF3czprbXM6YXAtbm9ydGhlYXN0LTE6NjQ2Mjc5OTc5ODYwOmtleS84MDBmODBmZC0yNWE0LTQ2ZjgtYjY0NC01NzVkYmRlOTM0MzY=", "provider_id": "YXdzLWttcw=="}}], "encryption_context": {"aws-crypto-public-key": "AjxhNYI7jOcf8IgBt5bhgcNbVNvDbigwU4jsf8iKwgHvwaop5g/EdYbJ/+RWv56n9w==", "purpose": "test"}, "frame_length": 4096, "header_iv_length": 12, "message_id": "SuT756Z3mTz+nE+cudYdTA==", "type": 128, "version": "1.0"}, "input": "/work/hoge.txt", "mode": "encrypt", "output": "/work/output/hoge.txt.encrypted"} {"header": {"algorithm": "AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384", "content_type": 2, "encrypted_data_keys": [{"encrypted_data_key": "AQIBAHgOefrQi/oreXkYHHBn4xmpGjh4UggwNMzAjbvuEJQ0jwGs9NarJsIjfOz8P4VM6k8dAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMWshZQ7jqQEJDXhlkAgEQgDvcKeNGFTvOPBw5Orlkhqa7aQ1s8FXF5Zfo1P8LNkD86jqQEph+3/n/3RZpuXM2WwdvMml8nF6snCTIaA==", "key_provider": {"key_info": "YXJuOmF3czprbXM6YXAtbm9ydGhlYXN0LTE6NjQ2Mjc5OTc5ODYwOmtleS84MDBmODBmZC0yNWE0LTQ2ZjgtYjY0NC01NzVkYmRlOTM0MzY=", "provider_id": "YXdzLWttcw=="}}], "encryption_context": {"aws-crypto-public-key": "AjxhNYI7jOcf8IgBt5bhgcNbVNvDbigwU4jsf8iKwgHvwaop5g/EdYbJ/+RWv56n9w==", "purpose": "test"}, "frame_length": 4096, "header_iv_length": 12, "message_id": "SuT756Z3mTz+nE+cudYdTA==", "type": 128, "version": "1.0"}, "header_auth": {"iv": "AAAAAAAAAAAAAAAA", "tag": "XC0i2Rm3k/ZX/dkKqLno9g=="}, "input": "/work/output/hoge.txt.encrypted", "mode": "decrypt", "output": "/work/decrypted/hoge.txt.encrypted.decrypted"}
cat decrypted/hoge.txt.encrypted.decrypted
hogehoge