Building Artillery.io • Interested in OSS, SRE, product design, SaaS • always up for coffee ☕ • h@veldstra.org • @hveldstra
kms-vault
is a tiny shell script that can be used to encrypt sensitive data such as passwords or private keys using a master key from AWS KMS.
kms-vault
First, download the shell scripts and put it somewhere in your $PATH
.
To encrypt a text file:
#
# My-KMS-Key is a key you created in KMS, see:
# http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
#
kms-vault encrypt My-KMS-Key private_key.pem > private_key.pem.encrypted
To decrypt an encrypted file:
#
# We don't need to specify the name of the key here because that information is
# stored in the metadata in the encrypted blob of data:
#
kms-vault decrypt private_key.pem.encrypted
(It goes without saying that if you delete the master key that was used to encrypt a file, you won’t be able to recover the plaintext.)
The combination of 1 & 2 makes kms-vault
very handy for storing all kinds of secrets inside git repos for example. There’s no need to share a password as is the case with ansible-vault
, and access to keys can be controlled with IAM policies on AWS accounts of other members of your team.
Finally, AWS Lambda integrates with KMS, which makes kms-vault
a nice simple solution for managing secrets in Serverless-based projects (this is reason I whipped up kms-vault
in the first place).