https://github.com/devries/envcrypt

Envelope encryption pipe commands using Cloud KMS
https://github.com/devries/envcrypt

Last synced: 5 months ago
JSON representation

Envelope encryption pipe commands using Cloud KMS

• Host: GitHub
• URL: https://github.com/devries/envcrypt
• Owner: devries
• License: mit
• Created: 2019-05-09T15:45:27.000Z (about 7 years ago)
• Default Branch: main
• Last Pushed: 2025-04-23T13:02:10.000Z (about 1 year ago)
• Last Synced: 2025-10-18T23:33:13.965Z (8 months ago)
• Language: Go
• Size: 320 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# envcrypt

Envelope encryption pipe commands using Cloud KMS

## Introduction

This package creates two commands described below:

- `pgencrypt`: An envelope encryption pipe which creates a random AES256 encryption key,

  encrypts that key using Google Cloud KMS, and then encrypts the input message using

  a GCM cipher with a random 12 byte nonce. The encrypted message is output in JSON

  format with the Cloud KMS encrypted key and the encrypted input file.

  

- `pgdecrypt`: This command reverses the operation, using Cloud KMS to decrypt the AES256 key,

  then decrypting the corresponding message.

  

By default each command reads from STDIN and writes to STDOUT, but it is possible to use the "-i"

and "-o" flags to read and write from output files.

You must set the environment variable `KMS_KEYSPEC` to the Cloud KMS keyspec

in the form

`projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}`.