python で kms を使って暗号化と複合

2023年4月10日

階層

.
├── .env
├── decrypt.py
└── encrypt.py

.env

kms の arn と暗号化したいパスワードを記載する。

ARN=arn:aws:kms:ap-northeast-1:123456789012:key/12345678-1234-1234-1234-123456789012
PASSWORD="some_password"

encrypt.py

.env の PASSWORD 記載の値を暗号化して encrypted.yml に書き出す。

import base64
import os

import boto3
import yaml
from dotenv import load_dotenv

load_dotenv()

kms = boto3.client("kms")
key_id = os.environ["ARN"]
password = os.environ["PASSWORD"]

def encrypt(plain_text):
    response = kms.encrypt(KeyId=key_id, Plaintext=plain_text)
    return response["CiphertextBlob"]

encrypted = base64.b64encode(encrypt(password)).decode("utf-8")
yaml_data = {"password": encrypted}

with open("./encrypted.yml", "w") as f:
    yaml.dump(yaml_data, f)

decrypt.py

encrypted.yml の PASSWORD 記載の値を複合して decrypted.yml に書き出す。

import base64
import os

import boto3
import yaml
from dotenv import load_dotenv

load_dotenv()

kms = boto3.client("kms")
key_id = os.environ["ARN"]

with open("./encrypted.yml", "r") as f:
    yaml_data = yaml.safe_load(f)

encrypted = base64.b64decode(yaml_data["password"])
decrypted = kms.decrypt(CiphertextBlob=encrypted, KeyId=key_id)["Plaintext"].decode(
    "utf-8"
)
yaml_data = {"password": decrypted}

with open("./decrypted.yml", "w") as f:
    yaml.dump(yaml_data, f, encoding="utf8", allow_unicode=True)