Skip to content

jhmartin/aws-kms-ruby-encrypt-decrypt-example

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

377 Commits

.circleci

.circleci

 
 

.github

.github

 
 

.codeclimate

.codeclimate

 
 

.gemnasium.yml

.gemnasium.yml

 
 

.rubocop_todo.yml

.rubocop_todo.yml

 
 

Gemfile

Gemfile

 
 

Gemfile.lock

Gemfile.lock

 
 

README.md

README.md

 
 

kms-decrypt.rb

kms-decrypt.rb

 
 

kms-encrypt.rb

kms-encrypt.rb

 
 

test.sh

test.sh

 
 

Repository files navigation

aws-kms-ruby-enrypt-decrypt-example

CircleCI Code Climate

Sample using AWS Key Management Service (assuming IAM roles) to generate a data key, encrypt an object with that key, then decrypt it.

The data key response contains a cleartext key and an encrypted key. The cleartext key is used to encrypt the contents and then discarded. The ciphertext and encrypted key are stored together. Then KMS is asked to decrypt the data-key, and the resulting cleartext-key is used against the ciphertext to decrypt back to cleartext.

Sample ciphertext file looks like:

{
  "ciphertext": "U2FsdGVkX1/J92QzTjh7E+u8mHLoruXfNgFxRVzHXDh/QwV7gtuO+KODk8aZ\ng2jktXbHnY1V1YcH1g6whGZgAPUksG2VGvKLBNKXbFbigPRd6JUSNhLUkbho\nCKWS7vmH1om15ZGjqMEqhNKvCJN1bUTfb6cbyxDdYhe0nUIKNlbl1v5KRHOp\nyoeBLIHlrdGe/KhjAWrbtehTLYdlbfWLxWcprxekB0jhGHBb0QGOgqRmuWq1\npDJJjkeQZlWcT9Q4lBU1CXMxFdibE3DzuWtMsFXTZIN3CPNphZ0TIs+xxh5A\nwGaoZd3STjyAISenK8L4YK22HnM7nb9TfdPK77gYgWM51HI65cNB/XIPm4fs\nDQUU8ZV0dhSGwD65+Mw9ZsbXjemwFDyoI4r16Luu0KEBRBVZS99BZwlXrI72\n1LwI1s3/8lddfGGyrfyQf7biXsulVtx6llCwZOId4HxvjwOIo+9FG7t0dndA\n8vZ//ZdCNvLMDiAxnVL/2uL15wXU+L9uxl+NJgJP9OshmujN0u/zMFa0pk8+\nl8Yu9nB62rf+tk8m8JcpgPrwkOMUkQxz9OPzUYLaSNglwtOGkjHZ1iAipdCg\nAyw5pIUCRH1EBT9T5enOFz8N5Lus4BPjcL2nE9kmTL3OnN/TjSNY1hnYjC+p\nhb8k9Qe18MmyysuQfF1oYZLq6RIVtXgD73y4wWBVWvcUXVidZDMOQjp6bRKa\noqoQzRglTuNP+vhgTYN1R7s9D46fVLRTqvlDeKmwuG5GZ59ZsFoaz6rAhzCy\nYJnmFpOC6Q==\n",
  "datakey": "CiAZM5lfpml79/xq2DrOPUKm4aSyNamrxnGq6oBiEkJ3yBKnAQEBAwB4GTOZX6Zpe/f8atg6zj1CpuGksjWpq8ZxquqAYhJCd8gAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAxDH8IEyvf8fr3qtQYCARCAO7elZFDPuqPXJzjP5iciFabj5820Q6ZTdnZvdWyCZMhRyx0qQtoQL7tDVVMGH3yrlNY909grcx1nERWe"
}

Usage

  1. Create a AWS KMS master key (currently costs $1/mo) and record its keyid.
  2. Set the KEYID environmental variable to the keyid or key alias.
  3. Add an IAM user or role as 'key usage' authorized user.
  4. Configure the AWS credentials as you normally would (I used an IAM instance role rather than explicit access keys)
  5. Call kms-encrypt.rb with an input file and redirect the output to a ciphertext file.
  6. Call kms-decrypt.rb with a reference to the ciphertext file.
$ kms-encrypt.rb /input/file/here |tee ciphertext.out
{
  "ciphertext": "4Bt7uXIVJ2zI5qQ6bphykjK6mFydpc9V4G0G6pi8GZxiWuNSw8J09v99i30=",
  "datakey": "AQIDAHg3ZY/4pziRas3bdm9zX/i4bWa8VnJyUyzRQ9PyByYRIQEqR6pqy6ND0ZelFNfH2SMqAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMlu6UTpFela9WZaaQAgEQgDuYQItbLfsSMj1kr/YrU0/Doi2G9Hj9WsrgYHP3BaegE6SHxkUY6c4DQG84HP/IFwR9KJmNTgcToksK8Q=="
}
$ kms-decrypt.rb ciphertext.out
FOO

About

Example of AWS Key Management Service encrypt/decrypt in ruby

Topics

ruby aws kms ciphertext

Resources

Readme
Activity

Stars

25 stars

Watchers

5 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages