KMS is relatively new AWS service that provides an API for managing symmetric encryption keys, encryption operations on top of them as well as providing a source of random bytes. It’s used internally by AWS to provide encryption for several AWS services such as EBS, Redshift, S3 and others while letting the end-user keep control over the lifecycle of the keys (which is a useful property e.g. for managing compliance to the German data-privacy laws).
Another useful property of KMS is the possibility to split access between encryption and decryption operations. This makes it a convenient candidate for encrypting configuration secrets (such as database passwords or API keys), where encryption should be available to all operator-type users while decryption should be reserved to EC2 instance profiles or Lambda execution roles.
To make this easy to use we wrote a tool named envsec (
es) which is similiar in spirit to envplate and either encrypts environment variables or transparently decrypts them, making them available as regular environment variables to another process which is being
exec()-uted after the decryption takes place.
es users or roles with appropriate access through a KMS key’s key policy (in KMS access rights are configured on the key, not in IAM and pointing to the key) can encrypt exisiting environment variables like this:
export HELLO=world es enc --arn=arn:aws:kms:eu-west-1:1234:key/5dabcb5e-b6fd-4af2-a7f4-0b2ad5528b53 HELLO $ ENVSEC_HELLO=CiB9o66svYk4uWid3Fgl1NFXHvavIw3DymOpPNUPqLCdLhKMAQEBAgB4faOurL2JOLlondxYJdTRVx72ryMNw8pjqTzVD6iwnS4AAABjMGEGCSqGSIb3DQEHBqBUMFICAQAwTQYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAwZ5yAlrGOZ14TP6ogCARCAIIBmHRkRxafXYI4xXrjcyz7RbfpbprLcEPyp4PlYujlJ
The resulting environment variable
ENVSEC_HELLO can now be safely committed to version control, e.g. as part of a
Dockerfile, CloudFormation or Terraform template.
To decrypt it,
es be used as follows - given an executable shell script
out.sh containing the lines
# !/bin/bash echo $HELLO
we can decrypt and output our encrypted environment variable as follows:
es dec -- $PWD/out.sh
When using the decrypted variable values for templating,
es can also easily be combined with envplate like this:
es dec -- /path/to/ep path/to/config/*.conf
Interested in getting started with KMS and
es? Check out the example section of
es, which also contains a CloudFormation / Tacks stack to get you started with custom KMS keys and matching encryption / decryption IAM roles for easy testing.
Image credits for the cover image go to Marcus Povey.