A tool for storing and retrieving encrypted data using the AWS Key Management Service
Project description
# kmstool
kmstool helps you encrypt data using the Amazon Key Management Service in AWS.
## Installing
```
pip install .
```
## Usage
kmstool has two modes: pack and unpack
### store
```
kmstool pack <key_id> <source>
```
This command takes a KMS key ID, produces a data key, and uses that key to
encrypt the file <source>. An encrypted copy of the data key is stored, along
with the encrypted files, in the current directory.
### retrieve
```
kmstool retrieve <source>
```
This command reads the contents of <source> passing the encrypted data key to
KMS, and using the resulting plaintext key to decrypt the original data. The
files are extracted to the current directory.
### Additional Options
Additional options are available: see `kmstool -h` for usage information.
Unless otherwise specified, AWS credentials are determined by first examining
the environment, then a search of the AWS metadata service, and finally using
the "default" botocore profile.
```
--profile
AWS (botocore) profile to use when contacting the KMS.
--region
AWS region to connect to for KMS.
```
An optional encryption context may be passed when storing files. The same
context must be passed when retrieving them.
```
-c --encryption-context foo=bar,baz=qux
```
## Internals
The output of `kmstool pack` is a gzipped GNU tar file containing the
KMS-encrypted data key plus an encrypted tar.gz of the source data. The
encrypted data is stored as follows (numbers are byte offsets).
```
0-15 Initialization Vector
16-N Encrypted data:
0-15 Original filesize
16-N Original data
```
kmstool helps you encrypt data using the Amazon Key Management Service in AWS.
## Installing
```
pip install .
```
## Usage
kmstool has two modes: pack and unpack
### store
```
kmstool pack <key_id> <source>
```
This command takes a KMS key ID, produces a data key, and uses that key to
encrypt the file <source>. An encrypted copy of the data key is stored, along
with the encrypted files, in the current directory.
### retrieve
```
kmstool retrieve <source>
```
This command reads the contents of <source> passing the encrypted data key to
KMS, and using the resulting plaintext key to decrypt the original data. The
files are extracted to the current directory.
### Additional Options
Additional options are available: see `kmstool -h` for usage information.
Unless otherwise specified, AWS credentials are determined by first examining
the environment, then a search of the AWS metadata service, and finally using
the "default" botocore profile.
```
--profile
AWS (botocore) profile to use when contacting the KMS.
--region
AWS region to connect to for KMS.
```
An optional encryption context may be passed when storing files. The same
context must be passed when retrieving them.
```
-c --encryption-context foo=bar,baz=qux
```
## Internals
The output of `kmstool pack` is a gzipped GNU tar file containing the
KMS-encrypted data key plus an encrypted tar.gz of the source data. The
encrypted data is stored as follows (numbers are byte offsets).
```
0-15 Initialization Vector
16-N Encrypted data:
0-15 Original filesize
16-N Original data
```
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
kmstool-0.6.1.tar.gz
(4.4 kB
view hashes)
Built Distribution
Close
Hashes for kmstool-0.6.1-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | c1efafcb8033625b1fa040324f63b827d9efd4ec5d9f6e0143a67f3ef67ade74 |
|
MD5 | 835fe14fe221b4bb10dc0a4abbab6aa3 |
|
BLAKE2b-256 | 870a621ae178e99c57f67f0c26e7249c959ac2f5a52c13770ea5e4cb7443792d |