From 1f9808f3d504da880d71d185f05b72798e65a2b9 Mon Sep 17 00:00:00 2001 From: Michael Andrews Date: Fri, 13 Oct 2017 17:35:24 -0400 Subject: [PATCH] Update README (#6) --- README.rst | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/README.rst b/README.rst index 10abd46..f98f6e0 100644 --- a/README.rst +++ b/README.rst @@ -13,12 +13,9 @@ mrcrypt: Multi-Region Encryption .. image:: https://codecov.io/gh/aol/mrcrypt/branch/master/graph/badge.svg :target: https://codecov.io/gh/aol/mrcrypt -mrcrypt is a command-line tool that allows you to encrypt secrets in -multiple AWS regions using KMS keys using a technique called `Envelope -Encryption `__. -It is intended to be used with the `AWS Encryption SDK for -Java `__, but could -be used on its own. +mrcrypt is a command-line tool which encrypts secrets that conform to the AWS Encryption SDK's `message format `__ for envelope encryption. Envelope encryption is used to encrypt a file using a KMS data key. That data key is then encrypted with regional KMS Customer Master Keys. Each regionally encrypted data key is then stored in the encrypted message. When decrypting, the appropriate regional CMK is used to decrypt the data key, and the data key is then used to decrypt the file. In other words, encrypt once - decrypt from anywhere. + +Because mrcrypt follows the AWS Encryption SDK's message format, files encrypted by mrcrypt can also be decrypted by the AWS Encryption SDKs for Python and Java. This allows application developers to build robust in-app decryption solutions. Installation ============ @@ -186,6 +183,11 @@ Compatability with the AWS Encryption SDK Encryption SDK.** But not all files encrypted with the AWS Encryption SDK can be decrypted by mrcrypt. +mrcrypt itself does not use the +`AWS Encryption SDK for Python `__, +as it was written prior to its release. However, future releases may +decide to do so. + Currently, mrcrypt only supports the AWS Encryption SDK's default (and most secure) cryptographic algorithm: