Vault for storing locally encypted data in S3 using KMS keys

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mtommila from gravatar.com mtommila Avatar for psiniemi from gravatar.com psiniemi

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Apache 2.0

Author: Pasi Niemi

Project description

nitor-vault

Command line tools and libraries for encrypting keys and values using client-side encryption with AWS KMS keys.

Installation

The easiest install is the python package from pypi:

pip install nitor-vault

Javascript and java versions are available from npm and maven central respectively and installation will depend on your needs.

Example usage

Initialize vault bucket and other infrastructure: vault --init. Will create a CloudFormation stack.

Encrypt a file and store in vault bucket: vault -s my-key -f <file>

Decrypt a file: vault -l <file>

Encrypt a single value and store in vault bucket vault -s my-key -v my-value

Decrypt a single value vault -l my-key

Using encrypted CloudFormation stack parameters

Encrypt a value like this: $ vault -e 'My secret value'

The command above will print the base64 encoded value encrypted with your vault KMS key. Use that value in a CF parameter. The value is then also safe to commit into version control and you can use it in scripts for example like this:

#!/bin/bash

MY_ENCRYPTED_SECRET="AQICAHhu3HREZVp0YXWZLoAceH1Nr2ZTXoNZZKTriJY71pQOjAHKtG5uYCdJOKYy9dhMEX03AAAAbTBrBgkqhkiG9w0BBwagXjBcAgEAMFcGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYy/tKGJFDQP6f9m1AgEQgCq1E1q8I+btMUdwRK8wYFNyE/5ntICNM96VPDnYbeTgcHzLoCx+HM1cGvc"


UNENCRYPTED_SECRET="$(vault -y $MY_ENCRYPTED_SECRET)"

Obviously you need to make sure that in the context of running vault there is some sort of way for providing kms permissions by for example adding the decryptPolicy managed policy from the vault cloudformation stack to the ec2 instance or whatever runs the code.

To decrypt the parameter value at stack creation or update time, use a custom resource:

Parameters:
  MySecret:
    Type: String
    Description: Param value encrypted with KMS
Resources:
  DecryptSecret:
    Type: "Custom::VaultDecrypt"
    Properties:
      ServiceToken: "arn:aws:lambda:<region>:<account-id>:function:vault-decrypter"
      Ciphertext: { "Ref": "MySecret" }
  DatabaseWithSecretAsPassword:
    Type: "AWS::RDS::DBInstance"
    Properties:
      ...
      MasterUserPassword:
        Fn::Sub: ${DecryptSecret.Plaintext}

Licence

Apache 2.0

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mtommila from gravatar.com mtommila Avatar for psiniemi from gravatar.com psiniemi

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Apache 2.0

Author: Pasi Niemi


Release history Release notifications | RSS feed

This version

0.54

0.53

0.50

0.49

0.48

0.47

0.46

0.45

0.44

0.43

0.42

0.41

0.40

0.39

0.38

0.37

0.36

0.35

0.34

0.33

0.32

0.31

0.30

0.29

0.28

0.27

0.26

0.25

0.24

0.23

0.22

0.21

0.20

0.19

0.18

0.17

0.16

0.15

0.13

0.12

0.11

0.10

0.9

0.8

0.7

0.6

0.5

0.4

0.3

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

nitor-vault-0.54.tar.gz (11.4 kB view hashes)

Uploaded Source

Built Distribution

nitor_vault-0.54-py3-none-any.whl (15.1 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page