Because encrypting things in bash is hard.
brew install libressl
AWS KMS can be used to manage the AES secret key.
$ # Expects the following environment variables
$ # AWS_REGION
$ # KMS_KEY_ARN
$ # to be set
$ make kms-key
Retreived Ciphertext from KMS:
AQID...
Available in env-var
`KMS_CIPHERTEXT`
$ # Expects the following environment variables
$ # AWS_REGION
$ # KMS_CIPHERTEXT # cyphertext returned from `make kms-key` above
$ # to be set
$ make kms-get-secret
make key
This will create a key file. Do NOT lose it as it is required to encrypt & decrypt files.
If the key file already exists, it will use it. This target also looks @ the AES_256_GCM_SECRET env var too. In order of precedence:
$(pwd)/keyAES_256_GCM_SECRETenv var (which then gets written to$(pwd)/key)- Generate a NEW one via openssl
Running make encrypt secret=<YOUR FILE> will generate a JSON blob/file. This, be default, will call generate-key (above), so if you have a key file from before or not this should just work.
So given a file, this target will attempt to encrypt it and write the contents into a file named -encrypted.json
e.g. in decrypt-val-encrypted.json:
{
"salt": "60C189E7FE7F0000",
"iv": "da301c3f6ba2142ad8108da5120b74a8",
"value-base64-encoded": "Nw0cXjZeetA4lxHpfmuiaVg="
}decrypt-val-encrypted.json from above can be decrypted, assuming that you still have the same key file that was used to encrypt it present.
make decrypt encrypted=<FILE> will then write a new file containing the decrypted contents.
e.g.:
$ make decrypt encrypted=val.json-encrypted.json
# Checking for input file (encrypted=<YOUR_FILE> - generated via "make encrypt")
if [ -z "val.json-encrypted.json" ]; then exit 1; fi
# Reading encrypted metadata...
# Decrypting...
Decrypted decrypt-val.attempt.json from val.json-encrypted.json
$
$
$ cat decrypt-val.attempt.json
{"secret":"val"}