Skip to main content

A command-line tool that can encrypt/decrypt secrets using the AWS Encryption SDK for use in multiple AWS KMS regions.

Project description

mrcrypt: Multi-Region Encryption

mrcrypt is a command-line tool which encrypts secrets that conform to the AWS Encryption SDK’s message format for envelope encryption. As of v2.0, mrcrypt now wraps the aws-encryption-sdk-cli.

For more information about the AWS Encryption SDK see


You can install the latest release of mrcrypt with pip:

pip install mrcrypt

Quick Start

Encrypt a file for use in 3 regions (NOTE: Key alias must exist in specified regions):

mrcrypt encrypt -r us-east-1 us-west-2 eu-west-1 -- alias/master-key secrets.txt

Decrypt the file:

mrcrypt decrypt secrets.txt.encrypted


usage: mrcrypt [-h] [-p PROFILE] [-v] [-q] [-o OUTFILE] {encrypt,decrypt} ...

Multi Region Encryption. A tool for managing secrets across multiple AWS

positional arguments:

optional arguments:
  -h, --help            show this help message and exit
  -p PROFILE, --profile PROFILE
                        The profile to use
  -v, --verbose         More verbose output (ignored if --quiet)
  -q, --quiet           Quiet all output
  -o OUTFILE, --outfile OUTFILE
                        The file to write the results to (use "-" to write to

Both the encrypt, and decrypt commands can encrypt and decrypt files in directories recursively.

Named Profiles

If you have multiple named profiles in your ~/.aws/credentials file, you can specify one using the -p argument.

mrcrypt -p my_profile encrypt alias/master-key secrets.txt

Encryption Context

You can specify an encryption context using the -e argument. This flag takes a JSON object with no spaces:

# encrypt
mrcrypt -e '{"key":"value","key2":"value2"}' encrypt alias/master-key secrets.txt

# decrypt
mrcrypt -e '{"key":"value","key2":"value2"}' decrypt secrets.txt.encrypted

Output file name

If you want to specify the output filename, you can use the -o argument.

# Encrypt ‘file.txt’ writing the output into ‘encrypted-file.txt’ mrcrypt -o encrypted-file.txt encrypt alias/master-key file.txt

To write to stdout, you can use -

# Encrypt ‘file.txt’ writing the output to stdout mrcrypt -o - encrypt alias/master-key file.txt

When the output filename argument is not specified, mrcrypt will use the input filename as a base and add a suffix. On encrypt this suffix is .encrypted and on decrypt this suffix is .decrypted.


usage: mrcrypt encrypt [-h] [-r REGIONS [REGIONS ...]] [-e ENCRYPTION_CONTEXT]
                       key_id filename

Encrypts a file or directory recursively

positional arguments:
  key_id                An identifier for a customer master key.
  filename              The file or directory to encrypt. Use "-" to read from

optional arguments:
  -h, --help            show this help message and exit
  -r REGIONS [REGIONS ...], --regions REGIONS [REGIONS ...]
                        A list of regions to encrypt with KMS. End the list
                        with --
                        An encryption context to use

Example: Encrypt secrets.txt with the key alias alias/master-key in the regions us-east-1 and us-west-2:

mrcrypt encrypt -r us-east-1 us-west-2 -- alias/master-key secrets.txt

Note: In this example, the key alias alias/master-key exists in both the us-east-1, and us-west-2 regions.


usage: mrcrypt decrypt [-h] filename

Decrypts a file

positional arguments:
  filename    The file or directory to decrypt. Use "-" to read from stdin

optional arguments:
  -h, --help  show this help message and exit

Example: To decrypt secrets.txt.encrypted:

mrcrypt decrypt secrets.txt.encrypted

Note: Be careful when decrypting a directory. If the directory contains files that are not encrypted, it will fail.


Running tests for mrcrypt is easy if you have tox installed. Simply run tox at the project’s root.

If you have an AWS account with a KMS key, you can run the integration tests using

AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID=<my-key-arn> tox -e py{27,34,35,36}-{local,integ}

Note about files created with mrcrypt before v2.0

Upon the release of v2.0, mrcrypt started wrapping the aws-encryption-sdk-cli. Wrapping the aws-encryption-sdk-cli means that mrcrypt now fully conforms to the AWS Encryption SDK’s message format and uses compressed points when encrypting files. Before v2.0, mrcrypt did not use compressed points, and while still secure, it lead to compatibility issues with other AWS Encryption SDK implementations. To update your pre-2.0 mrcrypt encrypted files, and improve compatibility with the AWS Encryption SDK, simply decrypt and re-encrypt your file with the latest version of mrcrypt.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for mrcrypt, version 2.0.0
Filename, size File type Python version Upload date Hashes
Filename, size mrcrypt-2.0.0.tar.gz (12.8 kB) File type Source Python version None Upload date Hashes View
Filename, size mrcrypt-2.0.0-py2.py3-none-any.whl (14.4 kB) File type Wheel Python version py2.py3 Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page