search

Shopify / ejson

EJSON is a small library to manage encrypted secrets using asymmetric encryption.
MIT License
1.34k stars 62 forks source link

AWS KMS support #42

Closed stevehodgkiss closed 5 years ago

stevehodgkiss commented 7 years ago

Proposal: Support for storing the private key encrypted with a given KMS key inside the EJSON document. Decryption of secrets would require permission to decrypt with the KMS key, not access to the unencrypted private key on disk as before.

This is similar to how sops works in how it wraps the private key with KMS and stores it in the yaml file.

Benefits (for applications on AWS):

I imagine it working like this:

❯ aws-vault exec [profile] -- ejson keygen --kms-key-id [kms_key_id]
Public Key:
[public_key]
Private Key:
[private_key]
KMS Encrypted Private Key:
[private_key_enc_w_kms_key]

❯ # create test.ejson with the above

❯ cat test.ejson
{
  "_public_key": "[public_key]",
  "_kms_encrypted_private_key": "[private_key_enc_w_kms_key]",
  "test": "EJ[...]"
}

❯ aws-vault exec [profile] -- ejson decrypt test.ejson
{
  "_public_key": "[public_key]",
  "_kms_encrypted_private_key": "[private_key_enc_w_kms_key]",
  "test": "sssh! it's a secret"
}
stevehodgkiss commented 7 years ago

@burke is this something you'd consider adding to EJSON?

burke commented 7 years ago

I think this is a great usage pattern but TBH I would implement it as a wrapper and keep EJSON doing as little as possible, especially since it seems like it would be relatively simple as a wrapper script. I just merged the key-from-stdin PR; I'll push a new release out in the next hour or two.

noqcks commented 5 years ago

This exists @stevehodgkiss > https://github.com/adrienkohlbecker/ejson-kms

stevehodgkiss commented 5 years ago

Ah interesting, thanks, I hadn't seen that. We wrote a ruby wrapper around EJSON to provide this functionality - https://github.com/envato/ejson_wrapper