{"id":44675412,"url":"https://github.com/dwtechnologies/kmsdecryptenv","last_synced_at":"2026-02-15T03:05:16.849Z","repository":{"id":21680547,"uuid":"93618732","full_name":"dwtechnologies/kmsdecryptenv","owner":"dwtechnologies","description":"Decrypts all or specific ENVs using AWS KMS","archived":false,"fork":false,"pushed_at":"2022-05-10T14:15:24.000Z","size":17,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2026-02-14T05:01:44.887Z","etag":null,"topics":["aws","decryption","golang","kms"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dwtechnologies.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-06-07T09:42:48.000Z","updated_at":"2022-05-10T14:13:57.000Z","dependencies_parsed_at":"2022-08-08T20:30:14.208Z","dependency_job_id":null,"html_url":"https://github.com/dwtechnologies/kmsdecryptenv","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/dwtechnologies/kmsdecryptenv","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dwtechnologies%2Fkmsdecryptenv","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dwtechnologies%2Fkmsdecryptenv/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dwtechnologies%2Fkmsdecryptenv/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dwtechnologies%2Fkmsdecryptenv/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dwtechnologies","download_url":"https://codeload.github.com/dwtechnologies/kmsdecryptenv/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dwtechnologies%2Fkmsdecryptenv/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29466925,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-15T01:01:38.065Z","status":"online","status_checked_at":"2026-02-15T02:00:07.449Z","response_time":118,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","decryption","golang","kms"],"created_at":"2026-02-15T03:05:16.749Z","updated_at":"2026-02-15T03:05:16.845Z","avatar_url":"https://github.com/dwtechnologies.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kmsdecryptenv\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/dwtechnologies/kmsdecryptenv)](https://goreportcard.com/report/github.com/dwtechnologies/kmsdecryptenv)\n\nThis program will decrypt ENV variables encrypted with AWS automatically.\n\nIt has two modes `auto` and `marker`.\n\nIt will decrypt all the envs at once - to maximize performance.\n\n## Auto mode\n\nWith auto mode it will try and figure out if your ENV is base64 encoded or not. But since normal vars can look to be encoded we have to assume\nthat if the decryption fails that it was becasue the string is not an KMS encrypted string. So please mind that this mode can be a bit more risky\nsince KMS errors will be treated as \"This string is not KMS encrypted\".\n\n## Marker mode\n\nWith marker mode we will decrypt all variables that are called anything with a specified marker.\nThe default marker is `\"KMS_DECRYPT\"`, but this can be changed by setting the `\"KMS_MARKER\"` ENV variable.\n\nIt will then decrypt the value of the ENV and set it to a new ENV variable with the same name but with the marker removed.\n\nSo for example `TEST_KMS_DECRYPT` would become `TEST`. `VAR_KMS_DECRYPT_1` would become `VAR1` and so forth.\n\n## Authing against AWS\n\nThe program will auth against AWS in the following manner\n\n- Using AWS standard ENV variables for auth.\n- Using AWS standard credentials file.\n- Using the servers EC2 Role (recommended way).\n\n## Possible configuration\n\nThe program uses the following ENV vars for configuration\n\n    KMS_AWS_REGION = Region to use for the KMS service\n    KMS_MARKER = Marker to use for finding vars to decrypt\n    KMS_AUTO = Set to true if auto mode should be enabled (KMS_MARKER is ignored if this is set to true)\n    KMS_OUTPUT = Define the output. Supports the following vars:\n        {KEY} = The key\n        {VAL} = Unencrypted Value\n        {LF} = UNIX newline (LF)\n        {CRLF} = Windows newline (CRLF)\n        {TAB} = Tab\n\n        So to mimic the default output you would set KMS_OUTPUT to \"{KEY}={VAL}{LF}\".\n\n## Install\n\nEither download any of the binaries provided in the list below or build yourself.\nThe binaries are self contained and have no dependencies.\n\nThere is also deb packages for debian/ubuntu.\n\n### Debian deb pkgs\n\n[Debian/Ubuntu amd64](https://github.com/dwtechnologies/kmsdecryptenv/releases/download/1.0.0/kmsdecryptenv_1.0.0-1-amd64.deb)  \n[Debian/Ubuntu 386](https://github.com/dwtechnologies/kmsdecryptenv/releases/download/1.0.0/kmsdecryptenv_1.0.0-1-386.deb)  \n[Debian/Ubuntu arm](https://github.com/dwtechnologies/kmsdecryptenv/releases/download/1.0.0/kmsdecryptenv_1.0.0-1-arm.deb)  \n[Debian/Ubuntu arm64](https://github.com/dwtechnologies/kmsdecryptenv/releases/download/1.0.0/kmsdecryptenv_1.0.0-1-arm64.deb)\n\n### Linux binaries\n\n[Linux amd64](https://github.com/dwtechnologies/kmsdecryptenv/releases/download/1.0.0/linux_amd64.tar.gz)  \n[Linux 386](https://github.com/dwtechnologies/kmsdecryptenv/releases/download/1.0.0/linux_386.tar.gz)  \n[Linux arm](https://github.com/dwtechnologies/kmsdecryptenv/releases/download/1.0.0/linux_arm.tar.gz)  \n[Linux arm64](https://github.com/dwtechnologies/kmsdecryptenv/releases/download/1.0.0/linux_arm64.tar.gz)\n\n### Mac binaries\n\n[Mac OS X amd64](https://github.com/dwtechnologies/kmsdecryptenv/releases/download/1.0.0/darwin_amd64.tar.gz)\n\n### Windows binaries\n\n[Windows amd64](https://github.com/dwtechnologies/kmsdecryptenv/releases/download/1.0.0/windows_amd64.zip)  \n[Windows 386](https://github.com/dwtechnologies/kmsdecryptenv/releases/download/1.0.0/windows_386.zip)\n\n\nYou will find the whole first release here:\n[github.com/dwtechnologies/kmsdecryptenv/releases/tag/1.0.0](https://github.com/dwtechnologies/kmsdecryptenv/releases/tag/1.0.0)\n\n## Bulding\n\nPlease clone this to $GOPATH/src/github.com/dwtechnologies folder. Either using `git` or by using `go get -u github.com/dwtechnologies/kmsdecryptenv`.\n\nIf you don't have a go env installed, please visit golang.org for info on how to set it up or just grab one of the binary files above.\n\n```bash\ncd $GOPATH/src/github.com/dwtechnologies.com/kmsdecryptenv\ngo get\ngo build\n```\n\nYou can also use the supplied Makefile for building and cross-compiling. You will need to have run `go get` beforehand, becasue the Makefile will not do this step.\nPlease note that docker is required for the Makefile to work propperly, it will use ubuntu:16.04 image to build the deb packages.\n\n## Usage\n\nPlease see example.sh for a linux/unix working example.\n\nNote that the program doesn't actually set any vars but will output it as `KEY=VALUE` pairs seperated with `\\n` (newline).\n\nSo using bash you could easily set your ENV by running `export $(./kmsdecryptenv)`\n\n## Performance\n\nThe program has an very small memory and CPU footprint. For example running the program outside AWS (from our Stockholm office to eu-west-1) and trying to decode 30 KMS encrypted strings generates the following\n\n```bash\ntime ./example.sh\n        0.44 real         0.16 user         0.03 sys\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdwtechnologies%2Fkmsdecryptenv","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdwtechnologies%2Fkmsdecryptenv","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdwtechnologies%2Fkmsdecryptenv/lists"}