A collection of scripts here to help interact with Google's Cloud Key Management Service, without too many layers of indirection.
kms-encrypt
- Encrypt a plaintext string to a secretkms-decrypt
- Decrypt a secret to a plaintext string
Each script can be invoked with -h
to see it's usage.
kms-encrypt -r "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[keyring_name]/cryptoKeys/[key_name]"
kms-encrypt
will ask for a plaintext string to encrypt and yield the encrypted result:
Please enter a plaintext string to encrypt
> test
CiQAUqQA4o9w4O3ovBCcj…
Alternatively, you can pass plaintext string to encrypt into kms-encrypt
:
kms-encrypt -r "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[keyring_name]/cryptoKeys/[key_name]" -p test
# "CiQAUqQA4o9w4O3ovBCcj…"
echo -n test | kms-encrypt -r "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[keyring_name]/cryptoKeys/[key_name]"
# "CiQAUqQA4o9w4O3ovBCcj…"
kms-decrypt -r "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[keyring_name]/cryptoKeys/[key_name]"
kms-decrypt
will ask for a secret to decrypt and yield the plaintext result:
Please enter a secret to decrypt
> CiQAUqQA4o9w4O3ovBCcj…
test
Alternatively, you can pass secret to decrypt into kms-decrypt
:
kms-decrypt -r "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[keyring_name]/cryptoKeys/[key_name]" -s "CiQAUqQA4o9w4O3ovBCcj…"
# test
echo -n "CiQAUqQA4o9w4O3ovBCcj…" | kms-decrypt -r "projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[keyring_name]/cryptoKeys/[key_name]"
# test
glcoud-kms-scripts
is released under the MIT License. See the enclosed LICENSE
file for details.
This code is inspired upon the KMS encryption utilities for AWS by James Gregory