AWS KMS asymmetric key support

getsops / sops

Simple and flexible tool for managing secrets

https://getsops.io/

Mozilla Public License 2.0

16.17k stars 854 forks source link

AWS KMS asymmetric key support #684

Open james-callahan opened 4 years ago

james-callahan commented 4 years ago

I'd like to be able to allow anyone to encrypt secrets to me; but only allow decryption through sops/KMS. AWS support this with key_usage of ENCRYPT_DECRYPT. https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks

When I attempted to just use an RSA_4096 KMS key with sops I got:

Failed to call KMS encryption service: InvalidKeyUsageException: Algorithm SYMMETRIC_DEFAULT is incompatible with key spec RSA_4096.

reegnz commented 11 months ago

This feature ist still desired.

I'd also add one more aspect to it, which is offline encryption (without API access to the KMS key): https://aws.amazon.com/blogs/security/how-to-use-aws-kms-rsa-keys-for-offline-encryption/

beachygreg commented 11 months ago

+1 on this feature. It would be very advantageous to not have to have AWS credentials and roles in order to encrypt.

seanorama commented 9 months ago

Commenting to keep this from going stale.

This would be a big win.

The need to have the key eliminates KMS as a choice in many scenarios, especially between departments where one team, without privileged access, needs to pass credentials to an operations team.

It also prevents the ability, to work "offline" to encrypt secrets.