nitor-vault
===========
Command line tools and libraries for encrypting keys and values using client-side encryption with AWS KMS keys.
# Installation
The easiest install is the python package from pypi:
```
pip install nitor-vault
```
Javascript and java versions are available from npm and maven central respectively and installation will depend on your needs.
# Example usage
Initialize vault bucket and other infrastructure: `vault --init`. Will create a CloudFormation stack.
Encrypt a file and store in vault bucket: `vault -s my-key -f <file>`
Decrypt a file: `vault -l <file>`
Encrypt a single value and store in vault bucket `vault -s my-key -v my-value`
Decrypt a single value `vault -l my-key`
## Using encrypted CloudFormation stack parameters
Encrypt a value like this: `$ vault -e 'My secret value'`
The command above will print the base64 encoded value encrypted with your vault KMS key. Use that value in a CF parameter. The value is then also safe to commit into version control and you can use it in scripts for example like this:
```
#!/bin/bash
MY_ENCRYPTED_SECRET="AQICAHhu3HREZVp0YXWZLoAceH1Nr2ZTXoNZZKTriJY71pQOjAHKtG5uYCdJOKYy9dhMEX03AAAAbTBrBgkqhkiG9w0BBwagXjBcAgEAMFcGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYy/tKGJFDQP6f9m1AgEQgCq1E1q8I+btMUdwRK8wYFNyE/5ntICNM96VPDnYbeTgcHzLoCx+HM1cGvc"
UNENCRYPTED_SECRET="$(vault -y $MY_ENCRYPTED_SECRET)"
```
Obviously you need to make sure that in the context of running vault there is some sort of way for providing kms permissions by for example adding the decryptPolicy managed policy from the vault cloudformation stack to the ec2 instance or whatever runs the code.
To decrypt the parameter value at stack creation or update time, use a custom resource:
```
Parameters:
MySecret:
Type: String
Description: Param value encrypted with KMS
Resources:
DecryptSecret:
Type: "Custom::VaultDecrypt"
Properties:
ServiceToken: "arn:aws:lambda:<region>:<account-id>:function:vault-decrypter"
Ciphertext: { "Ref": "MySecret" }
DatabaseWithSecretAsPassword:
Type: "AWS::RDS::DBInstance"
Properties:
...
MasterUserPassword:
Fn::Sub: ${DecryptSecret.Plaintext}
```
# Licence
[Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0)
Raw data
{
"_id": null,
"home_page": "http://github.com/NitorCreations/vault",
"name": "nitor-vault",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "",
"author": "Pasi Niemi",
"author_email": "pasi@nitor.com",
"download_url": "https://files.pythonhosted.org/packages/9a/0b/c9a322ab546d325ad80c154c890178ffe2650637c6c66a8f9ed504ffc2d3/nitor-vault-0.54.tar.gz",
"platform": "",
"description": "nitor-vault\n===========\n\nCommand line tools and libraries for encrypting keys and values using client-side encryption with AWS KMS keys.\n\n# Installation\n\nThe easiest install is the python package from pypi:\n```\npip install nitor-vault\n```\n\nJavascript and java versions are available from npm and maven central respectively and installation will depend on your needs.\n\n# Example usage\n\nInitialize vault bucket and other infrastructure: `vault --init`. Will create a CloudFormation stack.\n\nEncrypt a file and store in vault bucket: `vault -s my-key -f <file>`\n\nDecrypt a file: `vault -l <file>`\n\nEncrypt a single value and store in vault bucket `vault -s my-key -v my-value`\n\nDecrypt a single value `vault -l my-key`\n\n## Using encrypted CloudFormation stack parameters\n\nEncrypt a value like this: `$ vault -e 'My secret value'`\n\nThe command above will print the base64 encoded value encrypted with your vault KMS key. Use that value in a CF parameter. The value is then also safe to commit into version control and you can use it in scripts for example like this:\n\n```\n#!/bin/bash\n\nMY_ENCRYPTED_SECRET=\"AQICAHhu3HREZVp0YXWZLoAceH1Nr2ZTXoNZZKTriJY71pQOjAHKtG5uYCdJOKYy9dhMEX03AAAAbTBrBgkqhkiG9w0BBwagXjBcAgEAMFcGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYy/tKGJFDQP6f9m1AgEQgCq1E1q8I+btMUdwRK8wYFNyE/5ntICNM96VPDnYbeTgcHzLoCx+HM1cGvc\"\n\n\nUNENCRYPTED_SECRET=\"$(vault -y $MY_ENCRYPTED_SECRET)\"\n```\n\nObviously you need to make sure that in the context of running vault there is some sort of way for providing kms permissions by for example adding the decryptPolicy managed policy from the vault cloudformation stack to the ec2 instance or whatever runs the code.\n\nTo decrypt the parameter value at stack creation or update time, use a custom resource:\n\n```\nParameters:\n MySecret:\n Type: String\n Description: Param value encrypted with KMS\nResources:\n DecryptSecret:\n Type: \"Custom::VaultDecrypt\"\n Properties:\n ServiceToken: \"arn:aws:lambda:<region>:<account-id>:function:vault-decrypter\"\n Ciphertext: { \"Ref\": \"MySecret\" }\n DatabaseWithSecretAsPassword:\n Type: \"AWS::RDS::DBInstance\"\n Properties:\n ...\n MasterUserPassword:\n Fn::Sub: ${DecryptSecret.Plaintext}\n```\n\n# Licence\n\n[Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0)\n\n\n",
"bugtrack_url": null,
"license": "Apache 2.0",
"summary": "Vault for storing locally encypted data in S3 using KMS keys",
"version": "0.54",
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "d172fd3de1ef9add3043fbb1042fcf971dedd64894c6c13f5940b4481f0e9bb1",
"md5": "286f682c3f4a8a113e76a5573c176272",
"sha256": "3b55ea2239716e850942481831b6ca3c4b50a33a66e02d4ab30e08368ab82212"
},
"downloads": -1,
"filename": "nitor_vault-0.54-py3-none-any.whl",
"has_sig": false,
"md5_digest": "286f682c3f4a8a113e76a5573c176272",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 15146,
"upload_time": "2022-01-14T06:23:54",
"upload_time_iso_8601": "2022-01-14T06:23:54.223393Z",
"url": "https://files.pythonhosted.org/packages/d1/72/fd3de1ef9add3043fbb1042fcf971dedd64894c6c13f5940b4481f0e9bb1/nitor_vault-0.54-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "9a0bc9a322ab546d325ad80c154c890178ffe2650637c6c66a8f9ed504ffc2d3",
"md5": "1157f44fc7d2f74e1ec4159eed3871c2",
"sha256": "5ae44d7ded411e101540c71aba4e4baa82502a1a15075e75324f411c62160f44"
},
"downloads": -1,
"filename": "nitor-vault-0.54.tar.gz",
"has_sig": false,
"md5_digest": "1157f44fc7d2f74e1ec4159eed3871c2",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 11381,
"upload_time": "2022-01-14T06:23:56",
"upload_time_iso_8601": "2022-01-14T06:23:56.029985Z",
"url": "https://files.pythonhosted.org/packages/9a/0b/c9a322ab546d325ad80c154c890178ffe2650637c6c66a8f9ed504ffc2d3/nitor-vault-0.54.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2022-01-14 06:23:56",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "NitorCreations",
"github_project": "vault",
"travis_ci": true,
"coveralls": false,
"github_actions": true,
"lcname": "nitor-vault"
}