feat(aws/kms): encrypt and decrypt files with keys

knowledge base/cloud computing/aws/README.md

@@ -314,6 +314,7 @@ remaining usage is then charged at the On-Demand rates.
 - [AWS Public IP Address Ranges Now Available in JSON Form]
 - [Savings Plans user guide]
 - [AWS Savings Plans Vs. Reserved Instances: When To Use Each]
+- [How can I use AWS KMS asymmetric keys to encrypt a file using OpenSSL?]
 
 <!--
   Reference
@@ -353,6 +354,7 @@ remaining usage is then charged at the On-Demand rates.
 [constraints  tag]: https://docs.aws.amazon.com/directoryservice/latest/devguide/API_Tag.html
 [elastic ip addresses]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
 [exporting db snapshot data to amazon s3]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ExportSnapshot.html
+[how can i use aws kms asymmetric keys to encrypt a file using openssl?]: https://repost.aws/knowledge-center/kms-openssl-encrypt-key
 [i'm trying to export a snapshot from amazon rds mysql to amazon s3, but i'm receiving an error. why is this happening?]: https://repost.aws/knowledge-center/rds-mysql-export-snapshot
 [nat gateways]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
 [rotating aws kms keys]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

snippets/aws/commands.fish

@@ -213,7 +213,8 @@ aws iam --no-cli-pager list-access-keys --user-name 'mark'
 ###
 
 aws imagebuilder list-image-recipes
-aws imagebuilder get-image-recipe --image-recipe-arn 'arn:aws:imagebuilder:eu-west-1:012345678901:image-recipe/my-custom-image/1.0.12'
+aws imagebuilder get-image-recipe \
+	--image-recipe-arn 'arn:aws:imagebuilder:eu-west-1:012345678901:image-recipe/my-custom-image/1.0.12'
 
 
 ###
@@ -224,13 +225,23 @@ aws imagebuilder get-image-recipe --image-recipe-arn 'arn:aws:imagebuilder:eu-we
 aws kms get-key-policy --output 'text' --key-id '01234567-89ab-cdef-0123-456789abcdef'
 
 aws kms create-key
+
+aws kms get-public-key --key-id 'arn:aws:kms:eu-west-1:123456789012:key/d74f5077-811b-4447-af65-71f5f64f37d3' \
+	--output text --query 'PublicKey' > 'RSAPublic.b64' \
+&& base64 -d 'RSAPublic.b64' > 'RSAPublic.bin'
+
 aws kms encrypt --key-id '01234567-89ab-cdef-0123-456789abcdef' --plaintext 'My Test String'
 aws kms encrypt --key-id '01234567-89ab-cdef-0123-456789abcdef' --plaintext 'My Test String' \
 	--query 'CiphertextBlob' --output 'text' \
 | base64 --decode > 'ciphertext.dat'
+
 aws kms decrypt --ciphertext-blob 'fileb://ciphertext.dat'
 aws kms decrypt --ciphertext-blob 'fileb://ciphertext.dat' --query 'Plaintext' --output 'text' \
 | base64 --decode
+aws kms decrypt --key-id 'arn:aws:kms:eu-west-1:123456789012:key/d74f5077-811b-4447-af65-71f5f64f37d3' \
+	--ciphertext-blob 'fileb://enc.key.bin' --encryption-algorithm 'RSAES_OAEP_SHA_256' \
+	--output 'text' --query 'Plaintext' \
+| base64 --decode > 'decryptedKey.bin'
 
 
 ###

snippets/openssl.sh

@@ -7,7 +7,7 @@
 
 # Generate pseudo-random passwords
 openssl rand '32'
-openssl rand -base64 '18'
+openssl rand -base64 '18' > 'key.bin'
 
 
 ##
@@ -207,10 +207,18 @@ openssl speed 'ecdsap256'
 openssl ciphers -v
 
 # Enumerate individual cipher suites
-# Described by a short-hand OpenSSL cipher list string.
-# Useful to test 'ssl_ciphers' string.
+# Described by a short-hand OpenSSL cipher list string
+# Useful to test 'ssl_ciphers' string
 openssl ciphers -v 'EECDH+ECDSA+AESGCM:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4'
 
+# Encrypt files
+openssl enc -aes-256-cbc -salt -pbkdf2 -in 'FILE_TO_ENCRYPT' -out 'FILE_TO_ENCRYPT.enc' -pass 'file:./key.bin'
+openssl pkeyutl -pubin -encrypt -in 'key.bin' -out 'enc.key.bin' \
+	-inkey 'RSAPublic.bin' -keyform 'DER' -pkeyopt 'rsa_padding_mode:oaep' -pkeyopt 'rsa_oaep_md:sha256'
+
+# Decrypt files
+openssl enc -d -aes-256-cbc -pbkdf2 -in 'FILE_TO_DECRYPT.enc' -out 'DECRYPTED_FILE' -pass 'file:./decryptedKey.bin'
+
 
 ##
 # Check certificate revocation status from OCSP responders