A tool for storing and retrieving encrypted data using the AWS Key Management Service
Project description
# kmstool
kmstool helps you encrypt data using the Amazon Key Management Service in AWS.
## Installing
```
pip install .
```
## Usage
kmstool has two modes: store and retrieve.
### store
```
kmstool store <key_id> <source> <dest>
```
This command takes a KMS key ID, produces a data key, and uses that key to
encrypt the file <source>. An encrypted copy of the data key is stored, along
with the encrypted file, at <dest>.
### retrieve
```
kmstool retrieve <source> <dest>
```
This command reads the contents of <source> passing the encrypted data key to
KMS, and using the resulting plaintext key to decrypt the original data. The
result is saved to <dest>.
### Additional Options
Additional options are available: see `kmstool -h` for usage information.
Unless otherwise specified, AWS credentials are determined by first examining
the environment, then a search of the AWS metadata service, and finally using
the "default" botocore profile.
```
--profile
AWS (botocore) profile to use when contacting the KMS.
--region
AWS region to connect to for KMS.
```
An optional encryption context may be passed when storing files. The same
context must be passed when retrieving them.
```
-c --encryption-context foo=bar,baz=qux
```
## Internals
The output of `kmstool store` is a gzipped GNU tar file containing the
KMS-encrypted data key plus an encrypted copy of the source data. The
encrypted data is stored as follows (numbers are byte offsets).
```
0-15 Initialization Vector
16-N Encrypted data:
0-15 Original filesize
16-N Original data
```
kmstool helps you encrypt data using the Amazon Key Management Service in AWS.
## Installing
```
pip install .
```
## Usage
kmstool has two modes: store and retrieve.
### store
```
kmstool store <key_id> <source> <dest>
```
This command takes a KMS key ID, produces a data key, and uses that key to
encrypt the file <source>. An encrypted copy of the data key is stored, along
with the encrypted file, at <dest>.
### retrieve
```
kmstool retrieve <source> <dest>
```
This command reads the contents of <source> passing the encrypted data key to
KMS, and using the resulting plaintext key to decrypt the original data. The
result is saved to <dest>.
### Additional Options
Additional options are available: see `kmstool -h` for usage information.
Unless otherwise specified, AWS credentials are determined by first examining
the environment, then a search of the AWS metadata service, and finally using
the "default" botocore profile.
```
--profile
AWS (botocore) profile to use when contacting the KMS.
--region
AWS region to connect to for KMS.
```
An optional encryption context may be passed when storing files. The same
context must be passed when retrieving them.
```
-c --encryption-context foo=bar,baz=qux
```
## Internals
The output of `kmstool store` is a gzipped GNU tar file containing the
KMS-encrypted data key plus an encrypted copy of the source data. The
encrypted data is stored as follows (numbers are byte offsets).
```
0-15 Initialization Vector
16-N Encrypted data:
0-15 Original filesize
16-N Original data
```
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
kmstool-0.6.tar.gz
(4.4 kB
view hashes)
Built Distribution
Close
Hashes for kmstool-0.6-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1c6e3e6592da4f819ec483ee61ecb0b2a30ace3c8b684cd4c3c34b6f40cd6d49 |
|
MD5 | e9d86e89be98c71a74b77886691d6332 |
|
BLAKE2b-256 | 0d2a406ef930ef3b1a771fe3c47425084c488267d47c9b4195e60d378c70fc46 |