Gozer the Traveller, he will come in one of the pre-chosen forms. During the rectification of the Vuldronaii, the Traveller came as a large and moving Torb! Then, during the third reconciliation of the last of the Meketrex Supplicants they chose a new form for him... that of a Giant Sloar! Many Shubs and Zulls knew what it was to be roasted in the depths of the Sloar that day I can tell you.
s3kms is a simple utility for managing encrypted files in S3 for use with AWS's Key Management Service (KMS). It supports two operations on an object in S3: get and put. Assuming you have the appropriate key permissions in KMS:
s3kms put -k alias/devkey -b mybucket -o someobject
- Setup the appropriate encryption context in KMS
- Read from STDIN until EOF
- Encrypt the bytes read
- Put the encrypted data into the specified S3 bucket
s3kms get -b mybucket -o someobject
- Setup the appropriate encryption context in KMS
- Get the encrypted data from S3
- Decrypt the read data
- Write the encrypted data to STDOUT
s3kms is configured via environment variables or via the command line. See
s3kms help
for more information.
AWS_KMS_KEY_ARN
: This is the ARN to the KMS key.AWS_DEFAULT_REGION
: This is the region used for everything, basically.AWS_ACCESS_KEY_ID
: The access key used should have the necessary privileges in KMS.AWS_SECRET_ACCESS_KEY
: Private key for associated access key id.AWS_ACCOUNT_ID
: Account ID for granting read access with s3kms put.
In practice, we use a different key for environments, as opposed to entity under encryption. This seems to be the easiest way to configure things.