s3encrypt
A tool designed to work with the ruby-kms-s3-gem.
Fully compatable with the gem - can encrypt and upload files or download and decrypt files. Also can do all forms of S3 SSE.
New: KMSencrypt
Like the concept of S3encrypt but wish it didn't use S3? Want to use KMS generated keys to encrypt files for local storage, email, or other places like github? Well, here you go:
https://github.com/DonMills/kmsencrypt
Decryption
- takes a file that you have uploaded via the ruby gem or this go program
- fetches the envelope key and decrypts the envelope key with the appropriate EncryptionContext via KMS
- then takes that key and unencrypts the data key stored with the file in metadata
- and then uses that key to decrypt the file and save it in the location specified.
Encryption
- This takes the file,
- generates a KMS envelope key tied to a supplied EncryptionContext value
- generates a local data encryption key
- encrypts the file with the data key
- encrypts the data key with the envelope key
- stores the encrypted envelope key in s3 with a (filename).key value
- stores the encrypted data key in the s3 metadata and uploads the encrypted file
How to build:
mkdir $GOPATH/src/github.com/DonMills
cd $GOPATH/src/github.com/DonMills
git clone https://github.com/DonMills/s3encrypt.git
or
go get github.com/DonMills/s3encrypt
go get github.com/aws/aws-sdk-go/
go get github.com/urfave/cli
Alternatively, if you have glide installed, you can just get the deps like this:
glide up
Then just build or install it...
go install
or
go build -o s3encrypt
./s3encrypt
Usage Notes
The tool has a full help system, but in general usage is
s3encrypt [command] {command specific options}
where commands are
s3encrypt encrypt [localfilename] [remotefilename] [bucket] [context]
OPTIONS:
-c value The customer master key id - can set with S3ENCRYPT_CMKID environment variable [$S3ENCRYPT_CMKID]
-s value The ServerSideEncryption method to use - default is none, valid options are "AES256" or "aws:kms" (default: "nil")
or
s3encrypt decrypt [localfilename] [remotefilename] [bucket] [context]
Dealing with an "AWS Error: NoCredentialProviders" error or needing ~/.aws/config
In some situations (like needing a STS token to work on an environment) or if you have entries in your ~/.aws/config file that are needed, you may need to set the following environment variable:
AWS_SDK_LOAD_CONFIG=1
This is a function of the aws sdk for go discussed here: http://docs.aws.amazon.com/sdk-for-go/api/aws/session/
Mac installation via homebrew
New! Now you can install on a mac by using homebrew.
brew install DonMills/tools/s3encrypt