symmetric-encryption 4.0.1 → 4.1.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a8b4f45cc7b6dca91b1eb5d8eb5df044485d0a484f93472ce38fee62559453e8
-  data.tar.gz: 973376b8363032b2a71aaf840a3012cf7485d7f6b16f2ea1ebf20f622eaf56f0
+  metadata.gz: 674089b02b1620226cd6282347185623f2e94584d31759a42200fed1288f4bc2
+  data.tar.gz: 35d96710285ed9190f5d75e36471489f137ae19ba64bc3bcebf3224020d75b30
 SHA512:
-  metadata.gz: ae3695e636ea98bcbfe489187e26244dee6116257afdf4383a234359c201974024d3180d1ea1851edbc1798343ce1ab862fea20691a01f8eb7993b58a7206921
-  data.tar.gz: cbe308f3287c77c32996551b8f4ace32fd803e123e32f906ed21d65bf6d3823b19ce5459623a445a4ffd4bb1b33a0377558ad6604e98d61ae17b206d4cef1892
+  metadata.gz: 57a4050574792eaeca82e4c0174ed4676491e30c09186380f4f72c5d39c4fe6cd430ba025ae1b9ff6c4cfec7101b181787f6f295bb1b8c44269dddd0145cfb26
+  data.tar.gz: 9837704656992c51e9771e962331e04f0be6b0b2ba3b577f1196cb091cd426a800147ebbe424b9e6f9ebabaf012b635f0f480438112436b7f1eba55c04603f58

data/README.md

@@ -29,13 +29,6 @@ Checkout the sister project [Rocket Job](http://rocketjob.io): Ruby's missing ba
 
 Fully supports Symmetric Encryption to encrypt data in flight and at rest while running jobs in the background.
 
-## Supports
-
-Symmetric Encryption works with the following Ruby VMs:
-
-- Ruby 2.1 and higher.
-- JRuby 9.1 and higher.
-
 ## Upgrading to SymmetricEncryption V4
 
 Version 4 of Symmetric Encryption has completely adopted the Ruby keyword arguments on most API's where

data/lib/symmetric_encryption.rb

@@ -22,7 +22,7 @@ module SymmetricEncryption
   autoload :CLI,                    'symmetric_encryption/cli'
   autoload :Keystore,               'symmetric_encryption/keystore'
   module Utils
-    autoload :Generate,             'symmetric_encryption/utils/generate'
+    autoload :Aws,                  'symmetric_encryption/utils/aws'
     autoload :ReEncryptFiles,       'symmetric_encryption/utils/re_encrypt_files'
   end
 end

data/lib/symmetric_encryption/cipher.rb

@@ -18,8 +18,8 @@ module SymmetricEncryption
                          encoding: :base64strict,
                          **config)
 
-      Key.migrate_config!(config)
-      key = Key.from_config(cipher_name: cipher_name, **config)
+      Keystore.migrate_config!(config)
+      key = Keystore.read_key(cipher_name: cipher_name, **config)
 
       Cipher.new(
         key:               key.key,

data/lib/symmetric_encryption/cli.rb

@@ -6,7 +6,7 @@ module SymmetricEncryption
                 :decrypt, :random_password, :new_keys, :generate, :environment,
                 :keystore, :re_encrypt, :version, :output_file_name, :compress,
                 :environments, :cipher_name, :rolling_deploy, :rotate_keys, :rotate_kek, :prompt, :show_version,
-                :cleanup_keys, :activate_key, :migrate
+                :cleanup_keys, :activate_key, :migrate, :regions
 
     KEYSTORES = %i[heroku environment file].freeze
 
@@ -19,7 +19,7 @@ module SymmetricEncryption
       @environment      = ENV['SYMMETRIC_ENCRYPTION_ENV'] || ENV['RACK_ENV'] || ENV['RAILS_ENV'] || 'development'
       @config_file_path = File.expand_path(ENV['SYMMETRIC_ENCRYPTION_CONFIG'] || 'config/symmetric-encryption.yml')
       @app_name         = 'symmetric-encryption'
-      @key_path         = '/etc/symmetric-encryption'
+      @key_path         = '~/.symmetric-encryption'
       @cipher_name      = 'aes-256-cbc'
       @rolling_deploy   = false
       @prompt           = false
@@ -127,11 +127,15 @@ module SymmetricEncryption
           @generate = config
         end
 
-        opts.on '-s', '--keystore heroku|environment|file', 'Generate a new configuration file and encryption keys for every environment.' do |keystore|
+        opts.on '-s', '--keystore heroku|environment|file|aws', 'Which keystore to use during generation or re-encryption.' do |keystore|
           @keystore = (keystore || 'file').downcase.to_sym
         end
 
-        opts.on '-K', '--key-path KEY_PATH', 'Output path in which to write generated key files. Default: /etc/symmetric-encryption' do |path|
+        opts.on '-B', '--regions [us-east-1,us-east-2,us-west-1,us-west-2]', 'AWS KMS Regions to encrypt data key with.' do |regions|
+          @regions = regions.to_s.split(',').collect(&:strip) if regions
+        end
+
+        opts.on '-K', '--key-path KEY_PATH', 'Output path in which to write generated key files. Default: ~/.symmetric-encryption' do |path|
           @key_path = path
         end
 
@@ -197,26 +201,21 @@ module SymmetricEncryption
     end
 
     def generate_new_config
+      unless KEYSTORES.include?(keystore)
+        puts "Invalid keystore option: #{keystore}, must be one of #{KEYSTORES.join(', ')}"
+        exit(-3)
+      end
+
       config_file_does_not_exist!
       self.environments ||= %i[development test release production]
-      cfg               =
-        if keystore == :file
-          SymmetricEncryption::Keystore::File.new_config(
-            key_path:     key_path,
-            app_name:     app_name,
-            environments: environments,
-            cipher_name:  cipher_name
-          )
-        elsif %i[heroku environment].include?(keystore)
-          SymmetricEncryption::Keystore::Environment.new_config(
-            app_name:     app_name,
-            environments: environments,
-            cipher_name:  cipher_name
-          )
-        else
-          puts "Invalid keystore option: #{keystore}, must be one of #{KEYSTORES.join(', ')}"
-          exit(-3)
-        end
+      args              = {
+        app_name:     app_name,
+        environments: environments,
+        cipher_name:  cipher_name
+      }
+      args[:key_path]   = key_path if key_path
+      args[:regions]    = regions if regions && !regions.empty?
+      cfg               = Keystore.generate_data_keys(keystore, **args)
       Config.write_file(config_file_path, cfg)
       puts "New configuration file created at: #{config_file_path}"
     end
@@ -228,8 +227,13 @@ module SymmetricEncryption
     end
 
     def run_rotate_keys
+      if keystore && KEYSTORES.include?(keystore)
+        puts "Invalid keystore option: #{keystore}, must be one of #{KEYSTORES.join(', ')}"
+        exit(-3)
+      end
+
       config = Config.read_file(config_file_path)
-      SymmetricEncryption::Keystore.rotate_keys!(config, environments: environments || [], app_name: app_name, rolling_deploy: rolling_deploy)
+      SymmetricEncryption::Keystore.rotate_keys!(config, environments: environments || [], app_name: app_name, rolling_deploy: rolling_deploy, keystore: keystore)
       Config.write_file(config_file_path, config)
       puts "Existing configuration file updated with new keys: #{config_file_path}"
     end

data/lib/symmetric_encryption/key.rb

@@ -3,68 +3,6 @@ module SymmetricEncryption
   class Key
     attr_reader :key, :iv, :cipher_name
 
-    # Returns [Key] from cipher data usually extracted from the configuration file.
-    #
-    # Supports N level deep key encrypting keys.
-    #
-    # Configuration keys:
-    # * key
-    # * encrypted_key
-    # * key_filename
-    def self.from_config(key: nil, key_filename: nil, encrypted_key: nil, key_env_var: nil,
-                         iv:, key_encrypting_key: nil, cipher_name: 'aes-256-cbc')
-
-      if key_encrypting_key.is_a?(Hash)
-        # Recurse up the chain returning the parent key_encrypting_key
-        key_encrypting_key = from_config(cipher_name: cipher_name, **key_encrypting_key)
-      end
-
-      key ||=
-        if encrypted_key
-          raise(ArgumentError, 'Missing mandatory :key_encrypting_key when config includes :encrypted_key') unless key_encrypting_key
-          Keystore::Memory.new(encrypted_key: encrypted_key, key_encrypting_key: key_encrypting_key).read
-        elsif key_filename
-          Keystore::File.new(file_name: key_filename, key_encrypting_key: key_encrypting_key).read
-        elsif key_env_var
-          raise(ArgumentError, 'Missing mandatory :key_encrypting_key when config includes :key_env_var') unless key_encrypting_key
-          Keystore::Environment.new(key_env_var: key_env_var, key_encrypting_key: key_encrypting_key).read
-        end
-
-      new(key: key, iv: iv, cipher_name: cipher_name)
-    end
-
-    # Migrate a prior config.
-    #
-    # Note:
-    # * The config cannot be saved back to the config file once
-    #   migrated, without generating new Key Encrypting Keys.
-    # * Only run this migration in the target environment so that the
-    #   current key encrypting files are present.
-    def self.migrate_config!(config)
-      # Backward compatibility - Deprecated
-      private_rsa_key = config.delete(:private_rsa_key)
-
-      # Migrate old encrypted_iv
-      if (encrypted_iv = config.delete(:encrypted_iv)) && private_rsa_key
-        encrypted_iv = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
-        config[:iv]  = ::Base64.decode64(encrypted_iv)
-      end
-
-      # Migrate old iv_filename
-      if (file_name = config.delete(:iv_filename)) && private_rsa_key
-        encrypted_iv = File.read(file_name)
-        config[:iv]  = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
-      end
-
-      # Backward compatibility - Deprecated
-      config[:key_encrypting_key] = RSAKey.new(private_rsa_key) if private_rsa_key
-
-      # Migrate old encrypted_key to new binary format
-      if (encrypted_key = config[:encrypted_key]) && private_rsa_key
-        config[:encrypted_key] = ::Base64.decode64(encrypted_key)
-      end
-    end
-
     def initialize(key: :random, iv: :random, cipher_name: 'aes-256-cbc')
       @key         = key == :random ? ::OpenSSL::Cipher.new(cipher_name).random_key : key
       @iv          = iv == :random ? ::OpenSSL::Cipher.new(cipher_name).random_iv : iv

data/lib/symmetric_encryption/keystore.rb

@@ -2,11 +2,33 @@ module SymmetricEncryption
   # Encryption keys are secured in Keystores
   module Keystore
     # @formatter:off
+    autoload :Aws,         'symmetric_encryption/keystore/aws'
     autoload :Environment, 'symmetric_encryption/keystore/environment'
     autoload :File,        'symmetric_encryption/keystore/file'
+    autoload :Heroku,      'symmetric_encryption/keystore/heroku'
     autoload :Memory,      'symmetric_encryption/keystore/memory'
     # @formatter:on
 
+    # Returns [Hash] a new keystore configuration after generating data keys for each environment.
+    def self.generate_data_keys(keystore:, environments: %i[development test release production], **args)
+      keystore_class = keystore.is_a?(Symbol) || keystore.is_a?(String) ? constantize_symbol(keystore) : keystore
+
+      configs = {}
+      environments.each do |environment|
+        environment          = environment.to_sym
+        configs[environment] =
+          if %i[development test].include?(environment)
+            dev_config
+          else
+            cfg = keystore_class.generate_data_key(environment: environment, **args)
+            {
+              ciphers: [cfg]
+            }
+          end
+      end
+      configs
+    end
+
     # Returns [Hash] a new configuration file after performing key rotation.
     #
     # Perform key rotation for each of the environments in the configuration file, by
@@ -27,10 +49,13 @@ module SymmetricEncryption
     #     by the servers that have not been updated yet.
     #     Default: false
     #
+    #   keystore: [Symbol]
+    #     If supplied, changes the keystore during key rotation.
+    #
     # Notes:
     # * iv_filename is no longer supported and is removed when creating a new random cipher.
     #     * `iv` does not need to be encrypted and is included in the clear.
-    def self.rotate_keys!(full_config, environments: [], app_name:, rolling_deploy: false)
+    def self.rotate_keys!(full_config, environments: [], app_name:, rolling_deploy: false, keystore: nil)
       full_config.each_pair do |environment, cfg|
         # Only rotate keys for specified environments. Default, all
         next if !environments.empty? && !environments.include?(environment.to_sym)
@@ -43,22 +68,24 @@ module SymmetricEncryption
         # Only generate new keys for keystore's that have a key encrypting key
         next unless config[:key_encrypting_key] || config[:private_rsa_key]
 
-        cipher_name    = config[:cipher_name] || 'aes-256-cbc'
-        new_key_config =
-          if config.key?(:key_filename)
-            key_path = ::File.dirname(config[:key_filename])
-            Keystore::File.new_key_config(key_path: key_path, cipher_name: cipher_name, app_name: app_name, version: version, environment: environment)
-          elsif config.key?(:key_env_var)
-            Keystore::Environment.new_key_config(cipher_name: cipher_name, app_name: app_name, version: version, environment: environment)
-          elsif config.key?(:encrypted_key)
-            Keystore::Memory.new_key_config(cipher_name: cipher_name, app_name: app_name, version: version, environment: environment)
-          end
+        cipher_name = config[:cipher_name] || 'aes-256-cbc'
+
+        keystore_class = keystore ? constantize_symbol(keystore) : keystore_for(config)
+
+        args            = {
+          cipher_name: cipher_name,
+          app_name:    app_name,
+          version:     version,
+          environment: environment
+        }
+        args[:key_path] = ::File.dirname(config[:key_filename]) if config.key?(:key_filename)
+        new_data_key    = keystore_class.generate_data_key(args)
 
         # Add as second key so that key can be published now and only used in a later deploy.
         if rolling_deploy
-          cfg[:ciphers].insert(1, new_key_config)
+          cfg[:ciphers].insert(1, new_data_key)
         else
-          cfg[:ciphers].unshift(new_key_config)
+          cfg[:ciphers].unshift(new_data_key)
         end
       end
       full_config
@@ -83,27 +110,29 @@ module SymmetricEncryption
         always_add_header = config.delete(:always_add_header)
         encoding          = config.delete(:encoding)
 
-        Key.migrate_config!(config)
+        migrate_config!(config)
 
         # The current data encrypting key without any of the key encrypting keys.
-        key            = Key.from_config(config)
+        key            = Keystore.read_key(config)
         cipher_name    = key.cipher_name
-        new_key_config =
-          if config.key?(:key_filename)
-            key_path = ::File.dirname(config[:key_filename])
-            Keystore::File.new_key_config(key_path: key_path, cipher_name: cipher_name, app_name: app_name, version: version, environment: environment, dek: key)
-          elsif config.key?(:key_env_var)
-            Keystore::Environment.new_key_config(cipher_name: cipher_name, app_name: app_name, version: version, environment: environment, dek: key)
-          elsif config.key?(:encrypted_key)
-            Keystore::Memory.new_key_config(cipher_name: cipher_name, app_name: app_name, version: version, environment: environment, dek: key)
-          end
+        keystore_class = keystore_for(config)
+
+        args            = {
+          cipher_name: cipher_name,
+          app_name:    app_name,
+          version:     version,
+          environment: environment,
+          dek:         key
+        }
+        args[:key_path] = ::File.dirname(config[:key_filename]) if config.key?(:key_filename)
 
-        new_key_config[:always_add_header] = always_add_header
-        new_key_config[:encoding]          = encoding
+        new_config                     = keystore_class.generate_data_key(args)
+        new_config[:always_add_header] = always_add_header
+        new_config[:encoding]          = encoding
 
         # Replace existing config entry
         cfg[:ciphers].shift
-        cfg[:ciphers].unshift(new_key_config)
+        cfg[:ciphers].unshift(new_config)
       end
       full_config
     end
@@ -122,5 +151,92 @@ module SymmetricEncryption
           ]
       }
     end
+
+    # Returns [Key] by recursively navigating the config tree.
+    #
+    # Supports N level deep key encrypting keys.
+    def self.read_key(key: nil, iv:, key_encrypting_key: nil, cipher_name: 'aes-256-cbc', keystore: nil, version: 0, **args)
+      if key_encrypting_key.is_a?(Hash)
+        # Recurse up the chain returning the parent key_encrypting_key
+        key_encrypting_key = read_key(cipher_name: cipher_name, **key_encrypting_key)
+      end
+
+      unless key
+        keystore_class = keystore ? constantize_symbol(keystore) : keystore_for(args)
+        store          = keystore_class.new(key_encrypting_key: key_encrypting_key, **args)
+        key            = store.read
+      end
+
+      Key.new(key: key, iv: iv, cipher_name: cipher_name)
+    end
+
+    #
+    # Internal use only methods
+    #
+
+    def self.keystore_for(config)
+      if config[:keystore]
+        constantize_symbol(config[:keystore])
+      elsif config[:encrypted_key]
+        Keystore::Memory
+      elsif config[:key_filename]
+        Keystore::File
+      elsif config[:key_env_var]
+        Keystore::Environment
+      else
+        raise(ArgumentError, 'Unknown keystore supplied in config')
+      end
+    end
+
+    def self.constantize_symbol(symbol, namespace = 'SymmetricEncryption::Keystore')
+      klass = "#{namespace}::#{camelize(symbol.to_s)}"
+      begin
+        Object.const_get(klass)
+      rescue NameError
+        raise(ArgumentError, "Keystore: #{symbol.inspect} not found. Looking for: #{klass}")
+      end
+    end
+
+    # Borrow from Rails, when not running Rails
+    def self.camelize(term)
+      string = term.to_s
+      string = string.sub(/^[a-z\d]*/, &:capitalize)
+      string.gsub!(/(?:_|(\/))([a-z\d]*)/i) { "#{Regexp.last_match(1)}#{Regexp.last_match(2).capitalize}" }
+      string.gsub!('/'.freeze, '::'.freeze)
+      string
+    end
+
+    # Migrate a prior config.
+    #
+    # Note:
+    # * The config cannot be saved back to the config file once
+    #   migrated, without generating new Key Encrypting Keys.
+    # * Only run this migration in the target environment so that the
+    #   current key encrypting files are present.
+    def self.migrate_config!(config)
+      # Backward compatibility - Deprecated
+      private_rsa_key = config.delete(:private_rsa_key)
+
+      # Migrate old encrypted_iv
+      if (encrypted_iv = config.delete(:encrypted_iv)) && private_rsa_key
+        encrypted_iv = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
+        config[:iv]  = ::Base64.decode64(encrypted_iv)
+      end
+
+      # Migrate old iv_filename
+      if (file_name = config.delete(:iv_filename)) && private_rsa_key
+        encrypted_iv = ::File.read(file_name)
+        config[:iv]  = RSAKey.new(private_rsa_key).decrypt(encrypted_iv)
+      end
+
+      # Backward compatibility - Deprecated
+      config[:key_encrypting_key] = RSAKey.new(private_rsa_key) if private_rsa_key
+
+      # Migrate old encrypted_key to new binary format
+      if (encrypted_key = config[:encrypted_key]) && private_rsa_key
+        config[:encrypted_key] = ::Base64.decode64(encrypted_key)
+      end
+    end
+
   end
 end

data/lib/symmetric_encryption/keystore/aws.rb

@@ -0,0 +1,172 @@
+require 'base64'
+require 'aws-sdk-kms'
+module SymmetricEncryption
+  module Keystore
+    # Support AWS Key Management Service (KMS)
+    #
+    # Terms:
+    #   Aws
+    #     Amazon Web Services.
+    #
+    #   CMK
+    #     Customer Master Key.
+    #     Master key to encrypt and decrypt data, specifically the DEK in this case.
+    #     Stored in AWS, cannot be exported.
+    #
+    #   DEK
+    #     Data Encryption Key.
+    #     Key used to encrypt local data.
+    #     Encrypted with the CMK and stored locally.
+    #
+    #   KMS
+    #     Key Management Service.
+    #     For generating and storing the CMK.
+    #     Used to encrypt and decrypt the DEK.
+    #
+    # Recommended reading:
+    #
+    # Concepts:
+    #   https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
+    #
+    # Overview:
+    #   https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
+    #
+    # Process:
+    # 1. Create a customer master key (CMK) along with an alias for use by Symmetric Encryption.
+    #     - Note: CMK is region specific.
+    #     - Stored exclusively in AWS KMS, cannot be exported.
+    #
+    # 2. Generate and encrypt a data encryption key (DEK).
+    #     - CMK is used to encrypt the DEK.
+    #     - Encrypted DEK is stored locally.
+    #     - Encrypted DEK is region specific.
+    #       - DEK can be shared, but then must be re-encrypted in each region.
+    #     - Shared DEK across regions for database replication.
+    #     - List of regions to publish DEK to during generation / key-rotation.
+    #     - DEK must be encrypted with CMK in each region consecutively.
+    #
+    # Warning:
+    #   If access to the AWS KMS is ever lost, then it is not possible to decrypt any encrypted data.
+    #   Examples:
+    #     - Loss of access to AWS accounts.
+    #     - Loss of region(s) in which master keys are stored.
+    class Aws
+      attr_reader :region, :key_files, :master_key_alias
+
+      # Returns [Hash] a new keystore configuration after generating the data key.
+      #
+      # Increments the supplied version number by 1.
+      #
+      # Sample Hash layout returned:
+      # {
+      #   cipher_name: aes-256-cbc,
+      #   version:     8,
+      #   keystore:    :aws,
+      #   master_key_alias: 'alias/symmetric-encryption/application/production',
+      #   key_files:   [
+      #                  {region: blah1, file_name: "~/symmetric-encryption/application_production_blah1_v6.encrypted_key"},
+      #                  {region: blah2, file_name: "~/symmetric-encryption/application_production_blah2_v6.encrypted_key"},
+      #                ],
+      #   iv:          'T80pYzD0E6e/bJCdjZ6TiQ=='
+      # }
+      def self.generate_data_key(version: 0,
+        regions: Utils::Aws::AWS_US_REGIONS,
+        dek: nil,
+        cipher_name:,
+        app_name:,
+        environment:,
+        key_path:)
+
+        # TODO: Also support generating environment variables instead of files.
+
+        version >= 255 ? (version = 1) : (version += 1)
+        regions = Array(regions).dup
+
+        master_key_alias = master_key_alias(app_name, environment)
+
+        # File per region for holding the encrypted data key
+        key_files = regions.collect do |region|
+          file_name = "#{app_name}_#{environment}_#{region}_v#{version}.encrypted_key"
+          {region: region, file_name: ::File.join(key_path, file_name)}
+        end
+
+        keystore = new(key_files: key_files, master_key_alias: master_key_alias)
+        unless dek
+          data_key = keystore.aws(regions.first).generate_data_key(cipher_name)
+          dek      = Key.new(key: data_key, cipher_name: cipher_name)
+        end
+        keystore.write(dek.key)
+
+        {
+          keystore:         :aws,
+          cipher_name:      dek.cipher_name,
+          version:          version,
+          master_key_alias: master_key_alias,
+          key_files:        key_files,
+          iv:               dek.iv
+        }
+      end
+
+      # Alias pointing to the active version of the master key for that region.
+      def self.master_key_alias(app_name, environment)
+        @master_key_alias ||= "alias/symmetric-encryption/#{app_name}/#{environment}"
+      end
+
+      # Stores the Encryption key in a file.
+      # Secures the Encryption key by encrypting it with a key encryption key.
+      def initialize(region: nil, key_files:, master_key_alias:, key_encrypting_key: nil)
+        @key_files        = key_files
+        @master_key_alias = master_key_alias
+        @region           = region || ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION'] || ::Aws.config[:region]
+        if key_encrypting_key
+          raise(SymmetricEncryption::ConfigError, 'AWS KMS keystore encrypts the key itself, so does not support supplying a key_encrypting_key')
+        end
+      end
+
+      # Reads the data key environment variable, if present, otherwise a file.
+      # Decrypts the key using the master key for this region.
+      def read
+        key_file = key_files.find { |i| i[:region] == region }
+        raise(SymmetricEncryption::ConfigError, "region: #{region} not available in the supplied key_files") unless key_file
+
+        file_name = key_file[:file_name]
+        raise(SymmetricEncryption::ConfigError, 'file_name is mandatory for each key_file entry') unless file_name
+
+        raise(SymmetricEncryption::ConfigError, "File #{file_name} could not be found") unless ::File.exist?(file_name)
+
+        # TODO: Validate that file is not globally readable.
+        encoded_dek        = ::File.open(file_name, 'rb', &:read)
+        encrypted_data_key = Base64.strict_decode64(encoded_dek)
+        aws(region).decrypt(encrypted_data_key)
+      end
+
+      # Encrypt and write the data key to the file for each region.
+      def write(data_key)
+        key_files.each do |key_file|
+          region    = key_file[:region]
+          file_name = key_file[:file_name]
+
+          raise(ArgumentError, "region and file_name are mandatory for each key_file entry") unless region && file_name
+
+          encrypted_data_key = aws(region).encrypt(data_key)
+          encoded_dek        = Base64.strict_encode64(encrypted_data_key)
+          write_to_file(file_name, encoded_dek)
+        end
+      end
+
+      def aws(region)
+        Utils::Aws.new(region: region, master_key_alias: master_key_alias)
+      end
+
+      private
+
+      # Write to the supplied file_name, backing up the existing file if present
+      def write_to_file(file_name, data)
+        path = ::File.dirname(file_name)
+        ::FileUtils.mkdir_p(path) unless ::File.directory?(path)
+        ::File.rename(file_name, "#{file_name}.#{Time.now.to_i}") if ::File.exist?(file_name)
+        ::File.open(file_name, 'wb') { |file| file.write(data) }
+      end
+    end
+  end
+end