AWS CLI – KMS

By mikado on

Use the CLI for KMS encrypt, decrypt and key rotation.

Encrypt

aws kms encrypt --key-id YOURKEYIDHERE \
    --plaintext fileb://secret.txt \
    --output text \
    --query CiphertextBlob | base64 \
    --decode > encryptedsecret.txt

Decrypt

aws kms decrypt --ciphertext-blob fileb://encryptedsecret.txt \
    --output text \
    --query Plaintext | base64 \
    --decode > decryptedsecret.txt

Re-encrypt

aws kms re-encrypt --destination-key-id YOURKEYIDHERE \
    --ciphertext-blob fileb://encryptedsecret.txt | base64 > newencryption.txt

Key rotation

aws kms enable-key-rotation --key-id YOURKEYIDHERE
aws kms get-key-rotation-status --key-id YOURKEYIDHERE

Generate Key

aws kms generate-data-key --key-id YOURKEYIDHERE --key-spec AES_256

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/index.html#cli-aws-kms

Category: AWS CLI