code-dumps/aws/kms-create-import-key.sh
2020-09-10 15:35:38 +08:00

34 lines
1.4 KiB
Bash
Executable File

#!/bin/bash
if [ $# -lt 2 ]; then
echo "This tool requires openssl, awscli, jq and base64."
echo "One can generate a key using openssl rand -out PlaintextKeyMaterial.bin 32"
echo "Usage: key-import.sh key-file key-alias"
exit 0
fi
keyAlias=$2
aws kms create-key --origin EXTERNAL --description "Customer managed key" | jq -cr .KeyMetadata.KeyId > keyid.txt
aws kms get-parameters-for-import --key-id $(cat keyid.txt) \
--wrapping-algorithm RSAES_OAEP_SHA_256 \
--wrapping-key-spec RSA_2048 > import.json
cat import.json | jq -cr .PublicKey | base64 -d > PublicKey.bin
cat import.json | jq -cr .ImportToken | base64 -d > ImportToken.bin
openssl pkeyutl -encrypt -in $1 -inkey PublicKey.bin -keyform DER \
-pubin -out EncryptedKeyMaterial.bin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
aws kms import-key-material --key-id $(cat keyid.txt) \
--encrypted-key-material fileb://EncryptedKeyMaterial.bin \
--import-token fileb://ImportToken.bin \
--expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE
aws kms create-alias --alias-name "alias/$keyAlias" --target-key-id $(cat keyid.txt)
aws kms describe-key --key-id $(cat keyid.txt)
rm -f EncryptedKeyMaterial.bin ImportToken.bin PublicKey.bin import.json keyid.txt