Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mdub/ssssh

It's a secret.
https://github.com/mdub/ssssh

Last synced: 3 months ago
JSON representation

It's a secret.

Host: GitHub
URL: https://github.com/mdub/ssssh
Owner: mdub
License: mit
Created: 2015-02-24T01:27:18.000Z (over 9 years ago)
Default Branch: master
Last Pushed: 2016-10-25T23:38:09.000Z (about 8 years ago)
Last Synced: 2024-07-23T02:47:20.603Z (4 months ago)
Language: Ruby
Size: 23.4 KB
Stars: 13
Watchers: 3
Forks: 2
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE.txt

Awesome Lists containing this project

README

# Ssssh!

"ssssh" is a small tool that can be used to encrypt and decrypt secrets, using the AWS "Key Management Service" (KMS).

## Usage

Encrypt secrets like this:

ssssh encrypt KEY-ID < secrets.txt > secrets.encrypted

Later, you can decrypt them:

ssssh decrypt < secrets.encrypted > secrets.txt

KEY-ID can be the id or ARN of a KMS master key, or alias prefixed by "alias/". See document on [Encrypt](http://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) for more details.

Naturally, suitable AWS credentials must be provided (via environment variables, command-line options, or EC2 instance profile).

## Limitations

"ssssh" can only encrypt small amounts of data; up to 4 KB.

## Use as a command shim

"ssssh exec" is a command shim that makes it easy to use secrets transported
via the (Unix) process environment. It decrypts any environment variables
prefixed by "`KMS_ENCRYPTED_`", and executes a specified command.

For example:

```
$ export KMS_ENCRYPTED_DB_PASSWORD=$(ssssh encrypt alias/app-secrets 'seasame')
$ ssssh exec -- env | grep PASSWORD
KMS_ENCRYPTED_DB_PASSWORD=CiAbQLOo2VC4QTV/Ng986wsDSJ0srAe6oZnLyzRT6pDFWRKOAQEBAgB4G0CzqNlQuEE1fzYPfOsLA0idLKwHuqGZy8s0U+qQxVkAAABlMGMGCSqGSIb3DQEHBqBWMFQCAQAwTwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzfFR0tsHRq18JUhMcCARCAImvuMNYuHUut3BT7sZs9a31qWcmOBUBXYEsD+kx2GxUxBPE=
DB_PASSWORD=seasame
```

In this example, "ssssh exec":

- found `$KMS_ENCRYPTED_DB_PASSWORD` in the environment
- decrypted the contents
- put the result in `$DB_PASSWORD`
- executed `env`

"ssssh exec" works well as an entrypoint for Docker images, e.g.

# Include "ssssh" to decode KMS_ENCRYPTED_STUFF
RUN gem install ssssh
ENTRYPOINT ["ssssh", "exec", "--"]

## See also

If you'd rather install a Python interpreter than a Ruby one, secrets may also be decrypted using the AWS CLI.

base64 -d < secrets.encrypted > /tmp/secrets.bin
aws kms decrypt --ciphertext-blob fileb:///tmp/secrets.bin --output text --query Plaintext | base64 -d > secrets.txt

If you'd rather not install an interpreter at all, there's a Go-lang port of "ssssh":

* https://github.com/realestate-com-au/shush

## Changes

### 1.3.0 (2016-10-26)

* Add `ssssh exec` subcommand.
* Add support for `$KMS_ENCRYPTION_CONTEXT`.

### 1.2.0 (2015-04-27)

* Add support for encryption contexts (`--context` option).