{"id":31897920,"url":"https://github.com/jcmturner/awskmsluks","last_synced_at":"2025-10-13T11:49:27.531Z","repository":{"id":62867765,"uuid":"118257871","full_name":"jcmturner/awskmsluks","owner":"jcmturner","description":"Linux disk encryption through the integration of LUKS with AWS KMS","archived":false,"fork":false,"pushed_at":"2018-01-27T12:46:34.000Z","size":19,"stargazers_count":7,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-06-20T06:24:10.372Z","etag":null,"topics":["aws","aws-kms","disk-encryption","encryption","luks"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jcmturner.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-01-20T16:02:52.000Z","updated_at":"2024-06-20T06:24:10.373Z","dependencies_parsed_at":"2022-11-08T07:15:49.397Z","dependency_job_id":null,"html_url":"https://github.com/jcmturner/awskmsluks","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jcmturner/awskmsluks","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcmturner%2Fawskmsluks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcmturner%2Fawskmsluks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcmturner%2Fawskmsluks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcmturner%2Fawskmsluks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jcmturner","download_url":"https://codeload.github.com/jcmturner/awskmsluks/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcmturner%2Fawskmsluks/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279014818,"owners_count":26085595,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-kms","disk-encryption","encryption","luks"],"created_at":"2025-10-13T11:49:15.894Z","updated_at":"2025-10-13T11:49:27.523Z","avatar_url":"https://github.com/jcmturner.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS KMS LUKS\n\nUse AWS KMS to encrypt Linux block devices with LUKS.\n\nEncryption keys are not stored anywhere in an unencrypted form.\n\n## Setup\n### AWS\nIn the same AWS region create:\n* S3 bucket - this is the backup archive of encrypted keys.\n* KMS CMK - this is the CMK that data keys will be created off and encrypted by.\n* IAM user - this will be used by the tool to access the AWS APIs.\n\n#### AWS IAM Permissions\nApply the policy found in iam/policy.json to the IAM user. The values of the CMK ARN and bucket name need to be replaced in the policy document.\n\nCreate an AWS key pair for this user.\n\n### Host\n\n#### Prerequisites\nThere is a dependency on installing the ``cryptsetup`` package.\n\n#### AWS Credentials\nOn the host that will have the encrypted volume configure the AWS credentials under the root user.\nThis is described at (https://docs.aws.amazon.com/cli/latest/userguide/cli-config-files.html).\nThe default region is also needs to be set to the region in which the backup archive bucket and KMS CMK has been created.\n\n#### awskmsluks \nCreate the directory: ``mkdir /etc/awskmsluks/bin``\n\nBuild and copy the ``awskmsluks`` binary to this directory\n\n#### awskmsluks Configuration\nCopy the ``config.json`` file to ``/etc/awskmsluks/config.json`` and set the following values:\n\n* CMKARN: This is the full ARN of the CMK you want to create data keys from for encrypting devices on this host.\n* Production: This is a boolean to indicate if this host is considered a production host.\n* KeyArchiveBucket: This is the bucket name (not the full ARN) of the bucket to use for keeping an off host backup archive of encrypted data keys.\n\n#### Systemd Unit Files\nCopy the``systemd/awskmsluks.service`` file to ``/etc/systemd/system``\n\nEnable this with ``systemctl enable awskmsluks.service``\n\n## Creating an Encrypted Volume\nEcrypt the block device with LUKS using an AWS KMS data key:\n\n```/etc/awskmsluks/bin/awskmsluks -encrypt=/dev/sdb```\n\nOpen the device:\n\n```/etc/awskmsluks/bin/awskmsluks -open```\n\nFormat the device with the filesystem of your choice.\nThe open device will be in ``/dev/mapper`` with the name of the device appended with ``_crypt``\nFor example: \n\n```mkfs.ext4 /dev/mapper/sdb_crypt```\n\nCreate a systemd mount. Set the values in the ``[Mount]`` section of the example below as required.\nIt is important to have the ``After=awskmsluks.service`` configuration\n\n```\n[Unit]\nAfter=awskmsluks.service\n\n[Mount]\nWhat=/dev/mapper/sdb_crypt\nWhere=/mnt/data\nType=ext4\nOptions=defaults\n\n[Install]\nWantedBy=multi-user.target\n```\n\n## Building\n```\ngo build -ldflags \"-X main.version=v1.0.0 -X main.buildtime=`date -u '+%FT%TZ'` -X main.buildhash=`git rev-parse HEAD`\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjcmturner%2Fawskmsluks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjcmturner%2Fawskmsluks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjcmturner%2Fawskmsluks/lists"}