ssssh 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +14 -0
- data/Gemfile +6 -0
- data/LICENSE.txt +22 -0
- data/README.md +26 -0
- data/Rakefile +2 -0
- data/bin/ssssh +76 -0
- data/lib/ssssh/version.rb +3 -0
- data/ssssh.gemspec +30 -0
- metadata +110 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 1fe0419d821e061f0e6193d250b521f3cf38f2bc
|
4
|
+
data.tar.gz: d725bbcded6a0e3a64c4e94d252cdff92bb7fbb7
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 9f42e0c71cb003cea6e77cbe9f2689e5d192f48b5ad853bede18cbea86a1c75dcda7c55d67fbb637ff84b0a44d9de47172c38c845427141f325ae0fe782ad7b5
|
7
|
+
data.tar.gz: 67395c2bd2284370cd8ab9f7927c55a164ce208b94302e94f60b4a5379d2e0997908721dbfecbe87da79bb7383c361d8508bdbe8caf27ab47d76ddf2174fead6
|
data/.gitignore
ADDED
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
Copyright (c) 2015 Mike Williams
|
2
|
+
|
3
|
+
MIT License
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
6
|
+
a copy of this software and associated documentation files (the
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
11
|
+
the following conditions:
|
12
|
+
|
13
|
+
The above copyright notice and this permission notice shall be
|
14
|
+
included in all copies or substantial portions of the Software.
|
15
|
+
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,26 @@
|
|
1
|
+
# Ssssh!
|
2
|
+
|
3
|
+
"ssssh" is a small tool that can be used to encrypt and decrypt secrets, using the AWS "Key Management Service" (KMS).
|
4
|
+
|
5
|
+
## Usage
|
6
|
+
|
7
|
+
Encrypt secrets like this:
|
8
|
+
|
9
|
+
ssssh encrypt KEY-ID < secrets.txt > secrets.encrypted
|
10
|
+
|
11
|
+
Later, you can decrypt them:
|
12
|
+
|
13
|
+
ssssh decrypt < secrets.encrypted > secrets.txt
|
14
|
+
|
15
|
+
This assumes that the necessary AWS_xxx environment variables are set, and that KEY-ID is the name or alias of an existing KMS key.
|
16
|
+
|
17
|
+
## Limitations
|
18
|
+
|
19
|
+
"ssssh" can only encrypt small amounts of data; up to 4 KB.
|
20
|
+
|
21
|
+
## See also
|
22
|
+
|
23
|
+
If you'd rather install a Python interpreter than a Ruby one, secrets may also be decrypted using the AWS CLI.
|
24
|
+
|
25
|
+
base64 -d < secrets.encrypted > /tmp/secrets.bin
|
26
|
+
aws kms decrypt --ciphertext-blob fileb:///tmp/secrets.bin --output text --query Plaintext | base64 -d > secrets.txt
|
data/Rakefile
ADDED
data/bin/ssssh
ADDED
@@ -0,0 +1,76 @@
|
|
1
|
+
#! /usr/bin/env ruby
|
2
|
+
|
3
|
+
require "aws-sdk-core"
|
4
|
+
require "base64"
|
5
|
+
require "clamp"
|
6
|
+
require "logger"
|
7
|
+
|
8
|
+
Clamp do
|
9
|
+
|
10
|
+
option ["--region"], "REGION", "AWS region\n",
|
11
|
+
:environment_variable => "AWS_REGION",
|
12
|
+
:default => "ap-southeast-2"
|
13
|
+
option "--access-key", "KEY", "AWS access key\n",
|
14
|
+
:environment_variable => "AWS_ACCESS_KEY_ID",
|
15
|
+
:attribute_name => :access_key_id
|
16
|
+
option "--secret-key", "KEY", "AWS secret key\n",
|
17
|
+
:environment_variable => "AWS_SECRET_ACCESS_KEY",
|
18
|
+
:attribute_name => :secret_access_key
|
19
|
+
option "--session-token", "KEY", "AWS security token\n",
|
20
|
+
:environment_variable => "AWS_SECURITY_TOKEN",
|
21
|
+
:attribute_name => :session_token
|
22
|
+
|
23
|
+
option "--debug", :flag, "enable debugging"
|
24
|
+
|
25
|
+
subcommand "encrypt", "Encrypt STDIN" do
|
26
|
+
|
27
|
+
parameter "KEY_ID", "KMS key-id"
|
28
|
+
parameter "[DATA]", "plaintext data"
|
29
|
+
|
30
|
+
def execute
|
31
|
+
plaintext = data || $stdin.read
|
32
|
+
puts Base64.encode64(encrypt(plaintext, key_id))
|
33
|
+
end
|
34
|
+
|
35
|
+
end
|
36
|
+
|
37
|
+
subcommand "decrypt", "Decrypt STDIN" do
|
38
|
+
|
39
|
+
def execute
|
40
|
+
encoded_ciphertext = $stdin.read
|
41
|
+
puts decrypt(Base64.decode64(encoded_ciphertext))
|
42
|
+
end
|
43
|
+
|
44
|
+
end
|
45
|
+
|
46
|
+
protected
|
47
|
+
|
48
|
+
def logger
|
49
|
+
@logger ||= ::Logger.new($stderr).tap do |logger|
|
50
|
+
logger.level = (debug? ? ::Logger::DEBUG : ::Logger::INFO)
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
def aws_config
|
55
|
+
{
|
56
|
+
:access_key_id => access_key_id,
|
57
|
+
:secret_access_key => secret_access_key,
|
58
|
+
:session_token => session_token,
|
59
|
+
:region => region,
|
60
|
+
:logger => logger, :log_level => :debug
|
61
|
+
}.reject { |k,v| v.nil? || v == "" }
|
62
|
+
end
|
63
|
+
|
64
|
+
def kms
|
65
|
+
@kms ||= Aws::KMS::Client.new(aws_config)
|
66
|
+
end
|
67
|
+
|
68
|
+
def encrypt(plaintext, key_id)
|
69
|
+
kms.encrypt(:key_id => key_id, :plaintext => plaintext).ciphertext_blob
|
70
|
+
end
|
71
|
+
|
72
|
+
def decrypt(ciphertext)
|
73
|
+
kms.decrypt(:ciphertext_blob => ciphertext).plaintext
|
74
|
+
end
|
75
|
+
|
76
|
+
end
|
data/ssssh.gemspec
ADDED
@@ -0,0 +1,30 @@
|
|
1
|
+
# coding: utf-8
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'ssssh/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |spec|
|
7
|
+
|
8
|
+
spec.name = "ssssh"
|
9
|
+
spec.version = Ssssh::VERSION
|
10
|
+
spec.summary = %q{It's a secret!}
|
11
|
+
spec.description = %q{"ssssh" is a small tool that can be used to encrypt and decrypt secrets, using the AWS "Key Management Service" (KMS).
|
12
|
+
}
|
13
|
+
spec.license = "MIT"
|
14
|
+
|
15
|
+
spec.authors = ["Mike Williams"]
|
16
|
+
spec.email = ["mdub@dogbiscuit.org"]
|
17
|
+
spec.homepage = "https://github.com/mdub/ssssh"
|
18
|
+
|
19
|
+
spec.files = `git ls-files -z`.split("\x0")
|
20
|
+
spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
|
21
|
+
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
22
|
+
spec.require_paths = ["lib"]
|
23
|
+
|
24
|
+
spec.add_runtime_dependency "aws-sdk-core", "~> 2.0"
|
25
|
+
spec.add_runtime_dependency "clamp", ">= 0.6"
|
26
|
+
|
27
|
+
spec.add_development_dependency "bundler", "~> 1.7"
|
28
|
+
spec.add_development_dependency "rake", "~> 10.0"
|
29
|
+
|
30
|
+
end
|
metadata
ADDED
@@ -0,0 +1,110 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: ssssh
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 1.0.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Mike Williams
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2015-02-24 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: aws-sdk-core
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - "~>"
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '2.0'
|
20
|
+
type: :runtime
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - "~>"
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '2.0'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: clamp
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ">="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '0.6'
|
34
|
+
type: :runtime
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">="
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '0.6'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: bundler
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - "~>"
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '1.7'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - "~>"
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '1.7'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: rake
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - "~>"
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '10.0'
|
62
|
+
type: :development
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - "~>"
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: '10.0'
|
69
|
+
description: |
|
70
|
+
"ssssh" is a small tool that can be used to encrypt and decrypt secrets, using the AWS "Key Management Service" (KMS).
|
71
|
+
email:
|
72
|
+
- mdub@dogbiscuit.org
|
73
|
+
executables:
|
74
|
+
- ssssh
|
75
|
+
extensions: []
|
76
|
+
extra_rdoc_files: []
|
77
|
+
files:
|
78
|
+
- ".gitignore"
|
79
|
+
- Gemfile
|
80
|
+
- LICENSE.txt
|
81
|
+
- README.md
|
82
|
+
- Rakefile
|
83
|
+
- bin/ssssh
|
84
|
+
- lib/ssssh/version.rb
|
85
|
+
- ssssh.gemspec
|
86
|
+
homepage: https://github.com/mdub/ssssh
|
87
|
+
licenses:
|
88
|
+
- MIT
|
89
|
+
metadata: {}
|
90
|
+
post_install_message:
|
91
|
+
rdoc_options: []
|
92
|
+
require_paths:
|
93
|
+
- lib
|
94
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
95
|
+
requirements:
|
96
|
+
- - ">="
|
97
|
+
- !ruby/object:Gem::Version
|
98
|
+
version: '0'
|
99
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
100
|
+
requirements:
|
101
|
+
- - ">="
|
102
|
+
- !ruby/object:Gem::Version
|
103
|
+
version: '0'
|
104
|
+
requirements: []
|
105
|
+
rubyforge_project:
|
106
|
+
rubygems_version: 2.2.2
|
107
|
+
signing_key:
|
108
|
+
specification_version: 4
|
109
|
+
summary: It's a secret!
|
110
|
+
test_files: []
|