hydan 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b9a7ad17b289c67ab39aa32e25df5571fa67fc18
+  data.tar.gz: 7521911f20b2c469fca0684cca905bc49bd55012
+SHA512:
+  metadata.gz: 183654b57e053c76526841781086fbb3bf77ba85a2ce8c0afc264aafeff51de1a1e2312f21a013b56b2adf641f0f516ec6ca5ebc5b25f5138435a6455768eaeb
+  data.tar.gz: 7233ecf3068a7d1ae6ecd584000a83c6b361c1e154bb5e1d9d1c00b0fe55200e3b1a0043172b67472ea45d49ca3db1d3b8c0e0709099338c6816596d69a24fde

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.swp
+.DS_Store
+*.env

data/.pre-commit-config.yaml

@@ -0,0 +1,6 @@
+-   repo: git://github.com/pre-commit/pre-commit-hooks
+    sha: ff65d01841ad012d0a9aa1dc451fc4539d8b7baf
+    hooks:
+    -   id: check-yaml
+    -   id: detect-aws-credentials
+    -   id: trailing-whitespace

data/Dockerfile.tpl

@@ -0,0 +1,10 @@
+FROM ruby:#VERSION#
+MAINTAINER "rxacevedo@fastmail.com"
+
+COPY . /usr/src/app
+WORKDIR /usr/src/app
+
+RUN bundle install
+RUN rake install
+
+ENTRYPOINT ["hydan"]

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in hydan.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,48 @@
+PATH
+  remote: .
+  specs:
+    hydan (0.1.1)
+      aws-sdk (~> 2)
+      gibberish
+      thor
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    aws-sdk (2.2.30)
+      aws-sdk-resources (= 2.2.30)
+    aws-sdk-core (2.2.30)
+      jmespath (~> 1.0)
+    aws-sdk-resources (2.2.30)
+      aws-sdk-core (= 2.2.30)
+    coderay (1.1.1)
+    gibberish (2.0.0)
+    jmespath (1.1.3)
+    method_source (0.8.2)
+    minitest (5.8.4)
+    pry (0.10.3)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
+      slop (~> 3.4)
+    pry-doc (0.8.0)
+      pry (~> 0.9)
+      yard (~> 0.8)
+    rake (10.5.0)
+    slop (3.6.0)
+    thor (0.19.1)
+    yard (0.8.7.6)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.11)
+  hydan!
+  minitest (~> 5.0)
+  pry (~> 0.10)
+  pry-doc (>= 0.6.0)
+  rake (~> 10.0)
+  yard
+
+BUNDLED WITH
+   1.11.2

data/README.md

@@ -0,0 +1,145 @@
+# Hydan
+
+Hydan is a command-line utility for encrypting and decrypting text and/or files. In addition to local crypto operations, Hydan can also defer to Amazon KMS for symmetric master keys. S3 uploads/downloads are also supported, and can leverage KMS for encryption/decryption.
+
+## TODO:
+
+- [ ] Support multi-part uploads for S3
+- [ ] Support SSE for S3 uploads
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'hydan'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install hydan
+
+## Disclaimer
+
+Hydan is open-source software - **USE AT YOUR OWN RISK!** The authors and all affiliates assume no responsibility for issues encountered with the use of of this software.
+
+## Usage
+
+### Local text encryption
+
+Local text encryption returns a JSON object containing the cihpertext and randomly-generated data key. Plaintext can be piped into STDIN or passed on the CLI via the `--text` flag.
+
+```
+# We'll grab 256 random bits for the master key
+KEY=$(head -c 32 /dev/urandom | base64)
+echo 'A secret on STDIN' | hydan encrypt --master-key $KEY
+{
+  "ciphertext": {
+    "v": 1,
+    "adata": "",
+    "ks": 256,
+    "ct": "8VmGeR6+rtznK6Lu8vmr99PFmbxfu6FcyzWyiU17",
+    "ts": 96,
+    "mode": "gcm",
+    "cipher": "aes",
+    "iter": 100000,
+    "iv": "8Pj1RuenaRqV5BRc",
+    "salt": "mXfzMTw89lE="
+  },
+  "data_key": "eyJ2IjoxLCJhZGF0YSI6IiIsImtzIjoyNTYsImN0IjoiVlVDclRLUTV2WVpBMGFuTW9NTUQzWS9OQ0NYUkF0SWFpc3JYcFI1THVraHptUE1WeTVqRzBsbFJsM1k9IiwidHMiOjk2LCJtb2RlIjoiZ2NtIiwiY2lwaGVyIjoiYWVzIiwiaXRlciI6MTAwMDAwLCJpdiI6ImRUeTBPVUt2a3plaThkdnEiLCJzYWx0Ijoib1BQTXF2U1ZCN2c9In0="
+}
+```
+
+### Local decryption
+```
+KEY=$(head -c 32 /dev/urandom | base64)
+echo 'The Krabby Patty secret recipe IS...' | hydan encrypt --master-key $KEY | hydan decrypt --master-key $KEY
+The Krabby Patty secret recipe IS...
+
+hydan encrypt --master-key $KEY --text 'This also works' | hydan decrypt --master-key $KEY
+This also works
+```
+
+#### Env files
+A common use case (actually, the reason that this utility was even written) for setting up credentials is through environment variables. To accomodate this, `hydan` supports `--env-formatted` text input. When this flag is passed in, K/V pairs are parsed from each line, and the value (V) is encrypted. This allows for a file to be partially encrypted in a way that hides sensitive information, while still allowing an administrator or operator to understand what the file is for.
+
+```
+KEY=$(head -c 32 /dev/urandom | base64)
+cat test.env
+FOO=bar
+BAR=baz
+BAZ=bat
+A=B
+ENV=ENV
+K=V
+
+hydan encrypt --env-formatted --master-key $KEY < test.env
+FOO={"ciphertext":{"v":1,"adata":"","ks":256,"ct":"fnu8Ulyr5JLQArNp5rLz","ts":96,"mode":"gcm","cipher":"aes","iter":100000,"iv":"MOZzAZ/9qtHMCr/t","salt":"37WkVaQQxDA="},"data_key":"eyJ2IjoxLCJhZGF0YSI6IiIsImtzIjoyNTYsImN0IjoiMjFjZ21kM21PbUxBL20xdUt1bDJHNXV5VUhkaXFLQlZhSGlCQ2NzVnczbG5mUnY0Y05SSHRRMFFWVUE9IiwidHMiOjk2LCJtb2RlIjoiZ2NtIiwiY2lwaGVyIjoiYWVzIiwiaXRlciI6MTAwMDAwLCJpdiI6IkNRSkNJanlKVW9pR0kzbHQiLCJzYWx0IjoibS94a2trSm85Nzg9In0="}
+BAR={"ciphertext":{"v":1,"adata":"","ks":256,"ct":"F9oTm34xCj5Ke68hB+rL","ts":96,"mode":"gcm","cipher":"aes","iter":100000,"iv":"uXP2BC9wyCyJiFy6","salt":"DLDWXIxsbv8="},"data_key":"eyJ2IjoxLCJhZGF0YSI6IiIsImtzIjoyNTYsImN0IjoiYWRRdC9reFQzS2FwSG9FWFlzclJ6bmhqdlcxYVVGdWtQd0xRZXJZTUdTMDF0WFY1RSsyRkRBZndndDA9IiwidHMiOjk2LCJtb2RlIjoiZ2NtIiwiY2lwaGVyIjoiYWVzIiwiaXRlciI6MTAwMDAwLCJpdiI6Ii9SbnFWWkZTR0EwQkw0UEEiLCJzYWx0IjoiSHYxeEd0eTZLcTQ9In0="}
+BAZ={"ciphertext":{"v":1,"adata":"","ks":256,"ct":"VZ3qtRrRYVRIhJ3qIyku","ts":96,"mode":"gcm","cipher":"aes","iter":100000,"iv":"Ib19BVMCP3VqoeQ+","salt":"9DRsMkbtRvo="},"data_key":"eyJ2IjoxLCJhZGF0YSI6IiIsImtzIjoyNTYsImN0IjoieDcrdklNazBCYThnbWlMMGZ3WHE0TGpMVkNUYVBjaFhZWDFSUUkrL2oraGlBR2V0b3BxS0w2ZG5CbUU9IiwidHMiOjk2LCJtb2RlIjoiZ2NtIiwiY2lwaGVyIjoiYWVzIiwiaXRlciI6MTAwMDAwLCJpdiI6IkgzTXlEcXB4SXUrMGNoVTgiLCJzYWx0IjoiN0RSYzZmWkZWcFE9In0="}
+A={"ciphertext":{"v":1,"adata":"","ks":256,"ct":"6Hqk69PLuImnpTWSjw==","ts":96,"mode":"gcm","cipher":"aes","iter":100000,"iv":"oy5lea/k99nsZz8/","salt":"yYrMK6MbXfQ="},"data_key":"eyJ2IjoxLCJhZGF0YSI6IiIsImtzIjoyNTYsImN0IjoiN3gySUZIZmk2NjB6VnpqWDd4MjJqTUlHeXdZclRuY3E1cGdOcHU1RTB2R2I3MWMvbVp3ZjR0cUxtSk09IiwidHMiOjk2LCJtb2RlIjoiZ2NtIiwiY2lwaGVyIjoiYWVzIiwiaXRlciI6MTAwMDAwLCJpdiI6IkJ1a1lBRGJhaHVvcDJuM2YiLCJzYWx0IjoiKzhVOWhiaUtCRmc9In0="}
+ENV={"ciphertext":{"v":1,"adata":"","ks":256,"ct":"FQfnNaMl936fhZo3Ykrx","ts":96,"mode":"gcm","cipher":"aes","iter":100000,"iv":"12QqZqCxkvMbagzo","salt":"A3YypAcXUIQ="},"data_key":"eyJ2IjoxLCJhZGF0YSI6IiIsImtzIjoyNTYsImN0IjoiL2xpM0NnaG5BUmJCM3NmMlA5aTNLRXd3eFBITk9HQVFTdFBzVHFWUXRIZGRBRHNOL0wzV1Jrc3dIbGM9IiwidHMiOjk2LCJtb2RlIjoiZ2NtIiwiY2lwaGVyIjoiYWVzIiwiaXRlciI6MTAwMDAwLCJpdiI6ImFEK1dIZEwwWnlzbmJ5d0QiLCJzYWx0IjoiZ3hlL3dYVU9GRmM9In0="}
+K={"ciphertext":{"v":1,"adata":"","ks":256,"ct":"wpSRhDud1zqxhlvqdQ==","ts":96,"mode":"gcm","cipher":"aes","iter":100000,"iv":"9WnyuuOx2q6J/KCR","salt":"kZNxqsQE8o0="},"data_key":"eyJ2IjoxLCJhZGF0YSI6IiIsImtzIjoyNTYsImN0IjoiWHpsSWEzZEVoeWNHQ0lDQTJvU2xZem93SFZUeU1CVGUyb1dwNkVZcm9JamR4azg4SnVXci9USlIxaUE9IiwidHMiOjk2LCJtb2RlIjoiZ2NtIiwiY2lwaGVyIjoiYWVzIiwiaXRlciI6MTAwMDAwLCJpdiI6IkUxdGNNT0E0YkpBSzlEdGMiLCJzYWx0IjoibzRZcjQ5U3NhVU09In0="}
+
+# --env-formatted plays nicely with pipes too
+hydan encrypt --env-formatted --master-key $KEY < test.env | hydan decrypt --env-formatted --master-key $KEY
+FOO=bar
+BAR=baz
+BAZ=bat
+A=B
+ENV=ENV
+K=V
+
+# This can easily be used to construct export statements to be evaluated via eval
+hydan encrypt --env-formatted --master-key $KEY < test.env | hydan decrypt --env-formatted --master-key $KEY | awk '{ print "export " $1 }'
+export FOO=bar
+export BAR=baz
+export BAZ=bat
+export A=B
+export ENV=ENV
+export K=V
+```
+
+#### Large files
+When files are too large to read into memory, use the `--in` and `--out` flags. This will prompt `hydan` to use logic that reads and encrypts the file line-by-line, as opposed to "slurping" the file beforehand. This also implies that it's not worth Base64 encoding the encrypted output, since it will also be large. Because of this, encryption that uses the `--in` flag saves it's output in binary instead of Base64.
+
+```
+# Make a huge file
+mkfile -n 10g ~/Desktop/LargeTestFile
+
+hydan encrypt --in ~/Desktop/LargeTestFile --out ~/Desktop/LargeTestFile.bin --master-key $KEY
+Data key (Base64): U2FsdGVkX18NG/y8sEFGyop79njj0R9omH+/UZ3Ijy1c8nYACE2UQt1NMvSL2Rh9GH4p+TSEZxSMqqWqzg7/Kw==
+
+# We use the encrypted data key generated by the program in order to decrypt the file
+# If `--key-out` is specified, the key will be saved to the supplied path instead of
+# being printed to STDOUT.
+hydan decrypt --in ~/Desktop/LargeTestFile.bin --out ~/Desktop/LargeTestFile.decrypted --master-key $KEY --data-key U2FsdGVkX18NG/y8sEFGyop79njj0R9omH+/UZ3Ijy1c8nYACE2UQt1NMvSL2Rh9GH4p+TSEZxSMqqWqzg7/Kw==
+
+# Original
+shasum -a 256 ~/Desktop/LargeTestFile
+732377e7f4a2abdc13ddfa1eb4c9c497fd2a2b294674d056cf51581b47dd586d  /Users/roberto/Desktop/LargeTestFile
+
+# Decrypted
+shasum -a 256 ~/Desktop/LargeTestFile.decrypted
+732377e7f4a2abdc13ddfa1eb4c9c497fd2a2b294674d056cf51581b47dd586d  /Users/roberto/Desktop/LargeTestFile.decrypted
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/hydan.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,16 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+Rake::TestTask.new(:ci_test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList['test/**/*ci_test.rb']
+end
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "hydan"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/hydan

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require "hydan"
+
+Hydan::CLI.start(ARGV)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/circle.yml

@@ -0,0 +1,29 @@
+machine:
+  environment:
+    TARGETS: '2.1 2.2 2.3'
+  services:
+    - docker
+
+dependencies:
+  override:
+    - gem install rubocop
+    - | # Build required images
+      for v in ${TARGETS[*]}; do
+        echo "Building version $v..."
+        sed "s/#VERSION#/$v/g" Dockerfile.tpl > Dockerfile
+        docker build -t $REGISTRY_URL/seibelsbi/docker-hydan:$v .
+      done
+
+test:
+  override:
+    - docker run -it --entrypoint bash $REGISTRY_URL/seibelsbi/docker-hydan:2.1 -c 'rake ci_test'
+    - docker run -it --entrypoint bash $REGISTRY_URL/seibelsbi/docker-hydan:2.2 -c 'rake ci_test'
+    - docker run -it --entrypoint bash $REGISTRY_URL/seibelsbi/docker-hydan:2.3 -c 'rake ci_test'
+
+deployment:
+  master:
+    branch: master
+    commands:
+      - docker login -e=$REGISTRY_EMAIL -u=$REGISTRY_USER -p=$REGISTRY_PASSWORD $REGISTRY_URL
+      - docker tag $REGISTRY_URL/seibelsbi/docker-hydan:2.3 $REGISTRY_URL/seibelsbi/docker-hydan:latest
+      - docker push $REGISTRY_URL/seibelsbi/docker-hydan:latest

data/hydan.gemspec

@@ -0,0 +1,40 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'hydan/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "hydan"
+  spec.version       = Hydan::VERSION
+  spec.authors       = ["Roberto Acevedo"]
+  spec.email         = ["rxacevedo@fastmail.com"]
+
+  spec.summary       = %q{A Ruby gem for KMS and local envelope encryption.}
+  spec.description   = %q{Hide your secrets.}
+  spec.homepage      = "https://github.com/seibelsbi/hydan"
+  spec.license       = "MIT"
+
+  # Prevent pushing this gem to RubyGems.org by setting 'allowed_push_host', or
+  # delete this section to allow pushing this gem to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata['allowed_push_host'] = "https://rubygems.org"
+  else
+    raise "RubyGems 2.0 or newer is required to protect against public gem pushes."
+  end
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "bin"
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.11"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "minitest", "~> 5.0"
+  spec.add_development_dependency "pry", "~> 0.10"
+  spec.add_development_dependency "pry-doc", ">= 0.6.0"
+  spec.add_development_dependency "yard"
+
+  spec.add_dependency "thor"
+  spec.add_dependency "aws-sdk", "~> 2"
+  spec.add_dependency "gibberish"
+end

data/lib/hydan/cli.rb

@@ -0,0 +1,130 @@
+module Hydan
+  class CLIBase < Thor
+    def self.shared_options
+      method_option(
+        :master_key,
+        :type => :string,
+        :desc => 'The symmetric master key used to encrypt the exported data key',
+        :required => true
+      )
+    end
+    def self.shared_text_options
+      method_option(
+        :env_formatted,
+        :type => :boolean,
+        :desc => 'Indicates that the input is .env formatted (K=V). Results in K=encrypt(V) output.'
+      )
+      method_option(
+        :text,
+        :type => :array,
+        :desc => 'The plaintext to be encrypted'
+      )
+    end
+    def self.shared_file_options
+      method_option(
+        :in,
+        :type => :string,
+        :desc => 'The file being encrypted'
+      )
+      method_option(
+        :out,
+        :type => :string,
+        :desc => 'Where the encrypted content should be written'
+      )
+    end
+  end
+
+  class CLI < CLIBase
+
+    include Hydan::IO
+    LOGGER       = Logger.new(STDOUT)
+    LOGGER.level = Logger::INFO
+
+    desc 'encrypt', 'Encrypt a string or file'
+    shared_options
+    shared_text_options
+    # This is only here to support branching over to encrypt-file
+    method_option(
+      :in,
+      :type => :string,
+      :desc => 'The file being encrypted'
+    )
+    def encrypt(*args)
+      if options[:in]
+        invoke :encrypt_file
+      else
+        master_key = Base64.strict_decode64(options[:master_key])
+        client = Hydan::Crypto::EncryptionHelper.new(master_key)
+        data = handle_input(options)
+        json = client.encrypt(data) unless options[:env_formatted]
+        json = client.encrypt_env_formatted(data) if options[:env_formatted]
+        handle_output(json)
+      end
+    end
+
+    desc 'encrypt-file', 'Encrypt a file'
+    shared_options
+    shared_file_options
+    # Only used for file encryption
+    method_option(
+      :key_out,
+      :type => :string,
+      :desc => 'Where the encrypted data key should be written'
+    )
+    def encrypt_file(*args)
+      master_key = Base64.strict_decode64(options[:master_key])
+      client = Hydan::Crypto::EncryptionHelper.new(master_key)
+      encrypted_data_key_blob = client.encrypt_file(
+        options[:in],
+        options[:out]
+      )
+      handle_key_output(encrypted_data_key_blob, options[:key_out])
+    end
+
+    desc 'decrypt', 'Decrypt a string or file'
+    shared_options
+    shared_text_options
+    # This is only here to support branching over to encrypt-file
+    method_option(
+      :in,
+      :type => :string,
+      :desc => 'The file being encrypted'
+    )
+    def decrypt(*args)
+      if options[:in]
+        invoke :decrypt_file
+      else
+        key = Base64.strict_decode64(options[:master_key])
+        client = Hydan::Crypto::DecryptionHelper.new(key)
+        data = handle_input(options)
+        plaintext = client.decrypt(data) unless options[:env_formatted]
+        plaintext = client.decrypt_env_file(data) if options[:env_formatted]
+        handle_output(plaintext)
+      end
+    end
+
+    desc 'decrypt-file', 'Decrypt a file'
+    shared_options
+    shared_file_options
+    method_option(
+      :data_key,
+      :type => :string,
+      :desc => 'The data key used to decrypt encypted data',
+      :required => true
+    )
+    def decrypt_file(*args)
+      master_key = Base64.strict_decode64(options[:master_key])
+      data_key = Base64.strict_decode64(options[:data_key])
+      # TODO: Clear keys
+      client = Hydan::Crypto::DecryptionHelper.new(master_key)
+      client.decrypt_file(options[:in], options[:out], data_key)
+    end
+
+    desc 's3', 'Use the S3 API'
+    subcommand 's3', Hydan::S3::S3Cmd
+
+    desc 'kms', 'Use the KMS API for encryption/decryption'
+    subcommand 'kms', Hydan::Crypto::KMS::KMSCmd
+
+  end
+end

data/lib/hydan/crypto/decrypt.rb

@@ -0,0 +1,51 @@
+module Hydan
+  module Crypto
+    class DecryptionHelper
+
+      def initialize(symmetric_key)
+        @master_key = symmetric_key
+        @generator = OpenSSL::Cipher.new(Crypto::DEFAULT_CIPHER)
+      end
+
+      # Decrypts a JSON object
+      # @return [String]
+      def decrypt(json)
+        input_hash = JSON.parse(json)
+        data_key = Base64.strict_decode64(input_hash['data_key'])
+        key_cipher = Gibberish::AES.new(@master_key)
+        plaintext_key = key_cipher.decrypt(data_key)
+        data_cipher = Gibberish::AES.new(plaintext_key)
+        plaintext = data_cipher.decrypt(JSON.generate(input_hash['ciphertext']))
+        plaintext
+      end
+
+      # Decrypts a file
+      def decrypt_file(in_file, out_file, key)
+        key_cipher = Gibberish::AES::CBC.new(@master_key)
+        # The return value for this is Base64-encoded by default,
+        # we're overriding it here to later #strict_encode64 it.
+        data_key = key_cipher.decrypt(key, binary: true)
+        data_cipher = Gibberish::AES::CBC.new(data_key)
+        data_key = nil # Scrub from memory as soon as feasible
+        data_cipher.decrypt_file(in_file, out_file)
+      end
+
+      # # Decrypts an env-formatted text string.
+      # # A file is considered to be env-formatted when:
+      # # - Each line consists of K=V pairs
+      # # - Each V is a JSON string that contains a Gibberish
+      # #   payload (ciphertext, IV, salt, etc) and an encrypted
+      # #   data key that was used to encrypt the ciphertext
+      # # @return [String]
+      def decrypt_env_file(env_body)
+        new_text = []
+        env_body.each_line do |l|
+          k, v = l.match(Hydan::IO::ENV_LINE_REGEX).captures
+          dec_v = decrypt(v)
+          new_text << "#{k}=#{dec_v}"
+        end
+        new_text
+      end
+    end
+  end
+end

data/lib/hydan/crypto/encrypt.rb

@@ -0,0 +1,56 @@
+# Class to simplify envelope encryption
+
+require 'openssl'
+
+module Hydan
+  module Crypto
+    class EncryptionHelper
+
+      def initialize(master_key)
+        @master_key = master_key
+        @generator = OpenSSL::Cipher.new(Crypto::DEFAULT_CIPHER)
+        @generator.encrypt
+      end
+
+      # Returns a JSON string containing the ciphertext (Base64 encoded)
+      # and the encrypted data key used to encrypt it
+      def encrypt(plaintext)
+        data_key = @generator.random_key
+        key_cipher = Gibberish::AES.new(@master_key)
+        data_cipher = Gibberish::AES.new(data_key)
+        output = {
+          'ciphertext' => JSON.parse(data_cipher.encrypt(plaintext)),
+          'data_key' => Base64.strict_encode64(key_cipher.encrypt(data_key))
+        }
+        JSON.pretty_generate output
+      end
+
+      # Encrypts a file and returns the encrypted data key
+      # that was generated for the file. File encryption
+      # uses a different library method that is basically
+      # line-by-line read-encrypt-write mechanism.
+      def encrypt_file(in_file, out_file)
+        data_key = @generator.random_key
+        key_cipher = Gibberish::AES::CBC.new(@master_key)
+        data_cipher = Gibberish::AES::CBC.new(data_key)
+        # The return value for this is Base64-encoded by default,
+        # we're overriding it here to later #strict_encode64 it.
+        encrypted_data_key = key_cipher.encrypt(data_key, binary: true)
+        data_key = nil # Scrub from memory as soon as feasible
+        data_cipher.encrypt_file(in_file, out_file)
+        encrypted_data_key
+      end
+      # TODO: This may be better suited for the plaintext
+      # encryption entrypoint (STDIN or --plaintext flag)
+      def encrypt_env_formatted(plaintext)
+        new_text = []
+        plaintext.each_line do |l|
+          k, v = l.match(Hydan::IO::ENV_LINE_REGEX).captures
+          enc_v = JSON.generate(JSON.parse(encrypt(v)))
+          new_text << "#{k}=#{enc_v}"
+        end
+        new_text
+      end
+    end
+  end
+end

data/lib/hydan/crypto/kms/decrypt.rb

@@ -0,0 +1,45 @@
+# Class to simplify KMS decryption interface
+
+module Hydan
+  module Crypto
+    module KMS
+      class DecryptionHelper
+
+        include Hydan::Crypto
+
+        def initialize
+          @kms = Aws::KMS::Client.new
+        end
+
+        # Decrypts a JSON object
+        # @return [String]
+        def decrypt(json)
+          input_hash = JSON.parse(json)
+          data_key = Base64.strict_decode64(input_hash['data_key'])
+          plaintext_key = @kms.decrypt(:ciphertext_blob => data_key).plaintext
+          cipher = Gibberish::AES.new(plaintext_key)
+          plaintext = cipher.decrypt(JSON.generate(input_hash['ciphertext']))
+          plaintext
+        end
+
+        # Decrypts an env-formatted text string.
+        # A file is considered to be env-formatted when:
+        # - Each line consists of K=V pairs
+        # - Each V is a JSON string that contains a Gibberish
+        #   payload (ciphertext, IV, salt, etc) and an encrypted
+        #   data key that was used to encrypt the ciphertext
+        # @return [String]
+        def decrypt_env_file(env_body)
+          new_text = []
+          env_body.each_line do |l|
+            k, v = l.match(Hydan::IO::ENV_LINE_REGEX).captures
+            dec_v = decrypt(v)
+            new_text << "#{k}=#{dec_v}"
+          end
+          new_text
+        end
+
+      end
+    end
+  end
+end

data/lib/hydan/crypto/kms/encrypt.rb

@@ -0,0 +1,56 @@
+# Class to simplify KMS encryption interface
+
+module Hydan
+  module Crypto
+    module KMS
+      class EncryptionHelper
+
+        include Hydan::Crypto
+
+        # Initializes the EncryptionHelper object with an
+        # Aws::KMS::Client.
+        def initialize
+          @kms = Aws::KMS::Client.new
+        end
+
+        # TODO: Should this be private?
+        # Returns the KMS key ID for a given alias
+        def get_kms_key_id(kms_key_alias)
+          unless @kms.nil?
+            aliases = @kms.list_aliases.aliases
+            kms_key = aliases.find { |a| a.alias_name == kms_key_alias }
+            kms_key_id = kms_key.target_key_id
+            kms_key_id
+          end
+        end
+
+        # Returns a JSON string containing the ciphertext (Base64 encoded)
+        # and the encrypted data key used to encrypt it
+        def encrypt(plaintext, kms_key_id, &block)
+          unwrapped = block.call(plaintext) if block
+          resp = @kms.generate_data_key(
+            key_id: kms_key_id,
+            key_spec: 'AES_256'
+          )
+          cipher = Gibberish::AES.new(resp[:plaintext])
+          output = {
+            'ciphertext' => JSON.parse(cipher.encrypt(unwrapped || plaintext)),
+            'data_key' => Base64.strict_encode64(resp[:ciphertext_blob])
+          }
+          JSON.pretty_generate output
+        end
+
+        def encrypt_env_file(plaintext, kms_key_id)
+          new_text = []
+          plaintext.each_line do |l|
+            k, v = l.match(Hydan::IO::ENV_LINE_REGEX).captures
+            enc_v = JSON.generate(JSON.parse(encrypt(v, kms_key_id)))
+            new_text << "#{k}=#{enc_v}"
+          end
+          new_text
+        end
+
+      end
+    end
+  end
+end

data/lib/hydan/crypto/kms.rb

@@ -0,0 +1,56 @@
+module Hydan
+  module Crypto
+    module KMS
+      # I think there are some path resolution issues going on here
+      require 'hydan/io'
+      class KMSCmd < Thor
+
+        include Hydan::IO
+        desc 'encrypt', 'Encrypt a string or file'
+        method_option :env_formatted, :type => :boolean
+        method_option :file, :type => :string
+        method_option :key_alias, :type => :string, :required => true
+        method_option :out, :type => :string
+        method_option :text, :type => :array
+        def encrypt(*args)
+          client = Hydan::Crypto::KMS::EncryptionHelper.new
+          kms_key_id = client.get_kms_key_id options[:key_alias]
+
+          # TODO: Implement encrypt-file here, same as local enc/dec
+          if options[:file]
+            file = File.open(options[:file], 'r')
+            json = client.encrypt(file, kms_key_id) { |f, k| f.read } unless options[:env_formatted]
+            json = client.encrypt_env_file(file, kms_key_id) { |f, k| f.read } if options[:env_formatted]
+            handle_output(json)
+          else
+            text = handle_input(options)
+            json = client.encrypt(text, kms_key_id) unless options[:env_formatted]
+            json = client.encrypt_env_file(text, kms_key_id) if options[:env_formatted]
+            handle_output(json)
+          end
+        end
+
+        desc 'decrypt', 'Decrypts a string or file'
+        method_option :file, :type => :string
+        method_option :env_formatted, :type => :boolean
+        method_option :out, :type => :string
+        def decrypt(*args)
+
+          client = Hydan::Crypto::KMS::DecryptionHelper.new
+
+          if options[:file]
+            file = File.open(options[:file], 'r')
+            plaintext = client.decrypt(file.read) unless options[:env_formatted]
+            plaintext = client.decrypt_env_file(file.read) if options[:env_formatted]
+            handle_output(plaintext)
+          else
+            data = handle_input(options)
+            plaintext = client.decrypt(data) unless options[:env_formatted]
+            plaintext = client.decrypt_env_file(data) if options[:env_formatted]
+            handle_output(plaintext)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/hydan/crypto.rb

@@ -0,0 +1,5 @@
+module Hydan
+  module Crypto
+    DEFAULT_CIPHER = 'AES-256-CBC'
+  end
+end

data/lib/hydan/io.rb

@@ -0,0 +1,41 @@
+module Hydan
+  module IO
+    ENV_LINE_REGEX = /(.*?)=(.*)/
+
+    # Reads text from STDIN, or uses the value supplied with
+    # --plaintext, if any. Returns the text.
+    # @return [String]
+    def handle_input(options)
+      text = options[:text].join ' ' if options[:text]
+      unless options[:text]
+        text = ''
+        text << $LAST_READ_LINE while $stdin.gets # unless $stdin.tty?
+      end
+      # raise ArgumentError.new('No plaintext specified') if text.empty?
+      text
+    end
+
+    # Output phase of the encryption process, prints output
+    # to STDOUT or uses the value supplied with --out to write
+    # output to a file, if any.
+    # @return [Nil]
+    def handle_output(json)
+      File.open(options[:out], 'w') { |f| f.write json } if options[:out]
+      puts json unless options[:out]
+      nil
+    end
+
+    # Handles the output phase for file encryption/decryption.
+    # This only concerns the encrypted data key, since file
+    # encryption automatically assumes that an output file is being
+    # used (by the library). The input encrypted_data_key is expected
+    # to be a binary key, *not* Base64 encoded.
+    def handle_key_output(encrypted_data_key_blob, out_key_file = nil)
+      File.open(out_key_file, 'wb') {
+        |f| f.write encrypted_data_key_blob
+      } if out_key_file
+      puts "Data key (Base64): #{Base64.strict_encode64(encrypted_data_key_blob)}" unless out_key_file
+    end
+
+  end
+end

data/lib/hydan/path_types.rb

@@ -0,0 +1,8 @@
+module Hydan
+  module PathTypes
+    S3 = :s3
+    # S3_Folder = :s3_folder
+    # S3_Object = :s3_object
+    UNIX = :unix
+  end
+end

data/lib/hydan/s3.rb

@@ -0,0 +1,91 @@
+require 'thor'
+
+module Hydan
+  module S3
+    # S3 command class
+    class S3Cmd < Thor
+      # TODO: This still doesn't account for the S3EncryptedClient's upload/download functions, which read/write binary
+      # encoded files (not the JSON/base64 stuff that I'm doing here).
+      desc 'cp', 'Use the S3 API to copy files'
+      method_option :decrypt, :type => :boolean
+      method_option :key_alias, :type => :string
+      # Copies src to dest (args[0] and args[1]). Handles S3->local (download)
+      # and local->S3 (upload).
+      def cp (*args)
+        src, dest =  args.take 2
+        src_type, dest_type = [S3Helper.parse_path(src), S3Helper.parse_path(dest)]
+
+        event = if src_type == PathTypes::UNIX && dest_type == PathTypes::S3
+                  :upload
+                elsif src_type == PathTypes::S3 && dest_type == PathTypes::UNIX
+                  :download
+                else
+                  :invalid
+                end
+
+        if event == :upload
+          bucket, key = S3Helper.parse_s3_path dest
+          kms_client = Hydan::Crypto::KMS::EncryptionHelper.new
+          kms_key_id = kms_client.get_kms_key_id(options[:key_alias]) if options[:key_alias]
+          client = S3Helper.new(kms_key_id)
+          client.upload(bucket, key, File.open(src, 'r').read)
+        elsif event == :download
+          bucket, key = S3Helper.parse_s3_path src
+          client = S3Helper.new(options[:decrypt])
+          client.download(bucket, key, dest)
+        else puts "Invalid"
+        end
+
+      end
+
+    end
+
+    # Wrapper class surrounding common S3 functions
+    class S3Helper
+      S3_PATH_REGEX = %r{s3:\/\/(.*?)\/(.*)}
+
+      # Initialize the S3Helper object. When a kms_key_id is given, the
+      # client uses an Aws::S3::Encrpytion::Client. If omitted, a regular
+      # Aws::S3::Client is used instead.
+      def initialize(kms_key_id = nil)
+        @s3 = Aws::S3::Client.new unless kms_key_id
+        @s3 = Aws::S3::Encryption::Client.new(
+          kms_key_id: kms_key_id
+        ) if kms_key_id
+      end
+
+      # Performs a PutObject operation for content at s3://bucket/key
+      def upload(bucket, key, body)
+        @s3.put_object(
+          bucket: bucket,
+          key:  key,
+          body: body
+        )
+      end
+
+      # Downloads the object located at s3://bucket/prefix and writes
+      # the content to dest
+      def download(bucket, prefix, dest = nil)
+        resp = @s3.get_object(bucket: bucket, key: prefix)
+        content = resp.body.string
+        File.open(dest, 'w') { |f| f.write content } if dest
+        puts content unless dest
+      end
+
+      # Parses a given string path and returns the type
+      # (constants in Hydan::PathTypes)
+      def self.parse_path(path)
+        # If we "parse" it as an S3 path, we'll let the S3 client throw
+        # an error if it's a non-existant path
+        return PathTypes::S3 if path.start_with? 's3://'
+        return PathTypes::UNIX unless path.start_with? 's3://'
+      end
+
+      # Parses an S3 path and returns regex capture
+      # groups [bucket, key]
+      def self.parse_s3_path(s3_path)
+        s3_path.match(S3_PATH_REGEX).captures
+      end
+    end
+  end
+end

data/lib/hydan/version.rb

@@ -0,0 +1,3 @@
+module Hydan
+  VERSION = '0.1.1'.freeze
+end

data/lib/hydan.rb

@@ -0,0 +1,19 @@
+require 'aws-sdk'
+require 'base64'
+require 'English'
+require 'gibberish'
+require 'logger'
+require 'thor'
+require 'hydan/crypto/kms'
+require 'hydan/crypto/kms/encrypt'
+require 'hydan/crypto/kms/decrypt'
+require 'hydan/path_types'
+require 'hydan/io'
+require 'hydan/crypto'
+require 'hydan/crypto/encrypt'
+require 'hydan/crypto/decrypt'
+require 'hydan/s3'
+require 'hydan/cli'
+require 'hydan/version'
+
+module Hydan end

metadata

@@ -0,0 +1,199 @@
+--- !ruby/object:Gem::Specification
+name: hydan
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Roberto Acevedo
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-05-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.11'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+- !ruby/object:Gem::Dependency
+  name: pry-doc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.6.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.6.0
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: gibberish
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Hide your secrets.
+email:
+- rxacevedo@fastmail.com
+executables:
+- console
+- hydan
+- setup
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".pre-commit-config.yaml"
+- Dockerfile.tpl
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- bin/console
+- bin/hydan
+- bin/setup
+- circle.yml
+- hydan.gemspec
+- lib/hydan.rb
+- lib/hydan/cli.rb
+- lib/hydan/crypto.rb
+- lib/hydan/crypto/decrypt.rb
+- lib/hydan/crypto/encrypt.rb
+- lib/hydan/crypto/kms.rb
+- lib/hydan/crypto/kms/decrypt.rb
+- lib/hydan/crypto/kms/encrypt.rb
+- lib/hydan/io.rb
+- lib/hydan/path_types.rb
+- lib/hydan/s3.rb
+- lib/hydan/version.rb
+homepage: https://github.com/seibelsbi/hydan
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: A Ruby gem for KMS and local envelope encryption.
+test_files: []
+has_rdoc: