-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathimport-aws-kms-key.sh
executable file
·38 lines (30 loc) · 1.49 KB
/
import-aws-kms-key.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/bin/bash
# Reference: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html
# Example Reference: https://gist.github.com/madhusudangohil/a6cc80e1be9074ff1e7f59e88ace3a79
# Export your AWS Profile credentials: source exportAWSProfile.sh
# Downloading the public key and import token (AWS KMS API)
export KEY=`aws kms get-parameters-for-import \
--key-id 077036ed-fcc2-4ea7-8509-088aca92c99c \
--wrapping-algorithm RSAES_OAEP_SHA_256 \
--wrapping-key-spec RSA_2048 --query '{Key:PublicKey,Token:ImportToken}' --output text`
echo $KEY | awk '{print $1}' > PublicKey.b64
echo $KEY | awk '{print $2}' > ImportToken.b64
# To base64 decode the public key and import token
openssl enc -d -base64 -A -in PublicKey.b64 -out PublicKey.bin
openssl enc -d -base64 -A -in ImportToken.b64 -out ImportToken.bin
# To use OpenSSL to generate binary key material and encrypt it for import into AWS KMS
openssl rand -out PlaintextKeyMaterial.bin 32
# Encrypt the Key material with PublicKey.bin
openssl pkeyutl \
-in PlaintextKeyMaterial.bin \
-out EncryptedKeyMaterial.bin \
-inkey PublicKey.bin \
-keyform DER -pubin \
-encrypt \
-pkeyopt rsa_padding_mode:oaep \
-pkeyopt rsa_oaep_md:sha256
# Import key material (AWS KMS API)
aws kms import-key-material \
--key-id 077036ed-fcc2-4ea7-8509-088aca92c99c --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
--import-token fileb://ImportToken.bin \
--expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE