-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathkms.go
124 lines (110 loc) · 2.75 KB
/
kms.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package main
import (
"encoding/base64"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/dynamodb"
"github.com/aws/aws-sdk-go/service/kms"
)
func CreateKey() string {
svc := kms.New(session.New())
params := &kms.CreateKeyInput{
Description: aws.String("kms-cryptsetup"),
Tags: []*kms.Tag{
{
TagKey: aws.String("Name"),
TagValue: aws.String("kms-cryptsetup"),
},
},
}
result, err := svc.CreateKey(params)
HandleError(err)
arn := *result.KeyMetadata.Arn
aliasInput := &kms.CreateAliasInput{
AliasName: aws.String("alias/kms-cryptsetup"),
TargetKeyId: aws.String(arn),
}
_, err2 := svc.CreateAlias(aliasInput)
HandleError(err2)
return arn
}
func DecryptDataKey() []byte {
svc := kms.New(session.New())
data := GetEncryptedDiskKey()
input := &kms.DecryptInput{
CiphertextBlob: data,
EncryptionContext: EncryptionContext(),
}
result, err := svc.Decrypt(input)
HandleError(err)
return result.Plaintext
}
func KeyARN() string {
svc := kms.New(session.New())
input := &kms.DescribeKeyInput{
KeyId: aws.String("alias/kms-cryptsetup"),
}
result, err := svc.DescribeKey(input)
if HandleErrorWithMatch(err, kms.ErrCodeNotFoundException) {
return CreateKey()
}
return *result.KeyMetadata.Arn
}
func EncryptionContext() map[string]*string {
return map[string]*string{
"Computer": aws.String(ComputerContext()),
}
}
func GenerateDataKey() []byte {
svc := kms.New(session.New())
input := &kms.GenerateDataKeyInput{
KeyId: aws.String("alias/kms-cryptsetup"),
KeySpec: aws.String("AES_256"),
EncryptionContext: EncryptionContext(),
}
result, err := svc.GenerateDataKey(input)
HandleError(err)
return result.CiphertextBlob
}
func SaveEncryptedDiskKey() []byte {
data := GenerateDataKey()
str := base64.StdEncoding.EncodeToString(data)
svc := dynamodb.New(session.New())
input := &dynamodb.PutItemInput{
Item: map[string]*dynamodb.AttributeValue{
"Computer": {
S: aws.String(ComputerContext()),
},
"Disk": {
S: aws.String(DiskContext(*device)),
},
"KeyData": {
S: aws.String(str),
},
},
ReturnConsumedCapacity: aws.String("TOTAL"),
TableName: aws.String("kms-cryptsetup"),
}
_, err := svc.PutItem(input)
HandleError(err)
return data
}
func GetEncryptedDiskKey() []byte {
record := GetDynamoRecord(DiskDynamoKey())
if record.KeyData == "" {
return SaveEncryptedDiskKey()
}
data, err := base64.StdEncoding.DecodeString(record.KeyData)
HandleError(err)
return data
}
func DiskDynamoKey() map[string]*dynamodb.AttributeValue {
return map[string]*dynamodb.AttributeValue{
"Computer": {
S: aws.String(ComputerContext()),
},
"Disk": {
S: aws.String(DiskContext(*device)),
},
}
}