Module: S3encrypt

Defined in:

lib/s3encrypt.rb,
lib/s3encrypt/version.rb

Constant Summary

VERSION =

"0.1.10"

Class Method Summary

• .decrypt_key(keyvalue, app_context) ⇒ Object
• .fetch_file(s3client, plaintext_key, local_filename, remote_filename, bucket) ⇒ Object
• .fetch_key(s3client, filename, bucket) ⇒ Object
• .fetch_new_key(app_context, master_key) ⇒ Object

  Put your KMS master key id under key_id.

• .getfile(local_filename, remote_filename, bucket, app_context) ⇒ Object
• .getfile_as_json(remote_filename, bucket, app_context) ⇒ Object

  Helper method that bypasses writing a file to the system and returns a JSON object More for accessiing the data programatically so that a file does not have to be written and cleaned up.

• .getfile_as_string(remote_filename, bucket, app_context) ⇒ Object

  Helper method that bypasses writing a file to the system and returns a string More for accessiing the data programatically so that a file does not have to be written and cleaned up.

• .putfile(local_filename, remote_filename, bucket, app_context, master_key, sse = "none") ⇒ Object
• .putfile_ssekms(local_filename, remote_filename, bucket, app_context, master_key) ⇒ Object
• .putfile_sses3(local_filename, remote_filename, bucket, app_context, master_key) ⇒ Object
• .upload_file(s3client, plaintext_key, local_filename, remote_filename, bucket, sse) ⇒ Object
• .upload_key(s3client, newkeyblob, remote_filename, bucket, sse) ⇒ Object

  This whole thing refused to work for hours until I base64 encoded the key on upload and decoded on download…gave invalidciphertext exception.

Class Method Details

.decrypt_key(keyvalue, app_context) ⇒ Object

# File 'lib/s3encrypt.rb', line 89

def self.decrypt_key(keyvalue,app_context)
  kms_client = Aws::KMS::Client.new()
  plainkey = kms_client.decrypt(
    ciphertext_blob: keyvalue,
    encryption_context: {
      "Application" => app_context,
      }
  )
    return plainkey.plaintext
end

.fetch_file(s3client, plaintext_key, local_filename, remote_filename, bucket) ⇒ Object

# File 'lib/s3encrypt.rb', line 111

def self.fetch_file(s3client,plaintext_key,local_filename,remote_filename,bucket)
  begin
    s3enc = Aws::S3::Encryption::Client.new(encryption_key: plaintext_key,
                                            client: s3client)
    res = s3enc.get_object(bucket: bucket,
                           key: remote_filename,
                           response_target: local_filename)
  rescue Aws::S3::Errors::ServiceError => e
    puts "retrieval failed: #{e}"
  end
end

.fetch_key(s3client, filename, bucket) ⇒ Object

# File 'lib/s3encrypt.rb', line 101

def self.fetch_key(s3client,filename,bucket)
    keyfile_name= filename+ ".key"
    keyvalue=s3client.get_object(
    key: keyfile_name,
    bucket: bucket
    )
    keyval64 = Base64.decode64(keyvalue.body.read)
    return keyval64
end

.fetch_new_key(app_context, master_key) ⇒ Object

Put your KMS master key id under key_id

# File 'lib/s3encrypt.rb', line 30

def self.fetch_new_key(app_context, master_key)
  kms_client = Aws::KMS::Client.new()
  genkey = kms_client.generate_data_key({
    key_id: master_key,
    key_spec: "AES_256",
    encryption_context: {
      "Application" => app_context,
      }
    })
    return genkey.ciphertext_blob, genkey.plaintext
end

.getfile(local_filename, remote_filename, bucket, app_context) ⇒ Object

# File 'lib/s3encrypt.rb', line 123

def self.getfile(local_filename, remote_filename, bucket, app_context)
  s3client = Aws::S3::Client.new()
  keyval= fetch_key(s3client,remote_filename,bucket)
  keyvalue = decrypt_key(keyval,app_context)
  fetch_file(s3client,keyvalue,local_filename,remote_filename,bucket)
end

.getfile_as_json(remote_filename, bucket, app_context) ⇒ Object

Helper method that bypasses writing a file to the system and returns a JSON object More for accessiing the data programatically so that a file does not have to be written and cleaned up

# File 'lib/s3encrypt.rb', line 134

def self.getfile_as_json(remote_filename, bucket, app_context)
  resp = getfile(nil, remote_filename, bucket, app_context)
  return JSON.parse(resp.body.string)
end

.getfile_as_string(remote_filename, bucket, app_context) ⇒ Object

Helper method that bypasses writing a file to the system and returns a string More for accessiing the data programatically so that a file does not have to be written and cleaned up

# File 'lib/s3encrypt.rb', line 143

def self.getfile_as_string(remote_filename, bucket, app_context)
  resp = getfile(nil, remote_filename, bucket, app_context)
  return resp.body.string
end

.putfile(local_filename, remote_filename, bucket, app_context, master_key, sse = "none") ⇒ Object

# File 'lib/s3encrypt.rb', line 148

def self.putfile(local_filename, remote_filename, bucket, app_context, master_key, sse="none")
  newkeyblob, newkeyplain = fetch_new_key(app_context, master_key)
  #write_enc_key(newkeyblob,filename)
  s3client = Aws::S3::Client.new()
  upload_key(s3client,newkeyblob,remote_filename,bucket,sse)
  upload_file(s3client,newkeyplain,local_filename,remote_filename,bucket,sse)
end

.putfile_ssekms(local_filename, remote_filename, bucket, app_context, master_key) ⇒ Object

# File 'lib/s3encrypt.rb', line 156

def self.putfile_ssekms(local_filename, remote_filename, bucket, app_context, master_key)
  putfile(local_filename, remote_filename, bucket, app_context, master_key,"aws:kms")
end

.putfile_sses3(local_filename, remote_filename, bucket, app_context, master_key) ⇒ Object

# File 'lib/s3encrypt.rb', line 160

def self.putfile_sses3(local_filename, remote_filename, bucket, app_context, master_key)
  putfile(local_filename, remote_filename, bucket, app_context, master_key,"AES256")
end

.upload_file(s3client, plaintext_key, local_filename, remote_filename, bucket, sse) ⇒ Object

# File 'lib/s3encrypt.rb', line 67

def self.upload_file(s3client,plaintext_key,local_filename,remote_filename,bucket,sse)
  begin
    filebody = File.new(local_filename)
    s3enc = Aws::S3::Encryption::Client.new(encryption_key: plaintext_key,
                                            client: s3client)
    if sse == "none"
      res = s3enc.put_object(bucket: bucket,
                             key: remote_filename,
                             body: filebody
                             )
    else
    res = s3enc.put_object(bucket: bucket,
                           key: remote_filename,
                           server_side_encryption: sse,
                           body: filebody
                           )
    end
  rescue Aws::S3::Errors::ServiceError => e
    puts "upload failed: #{e}"
  end
end

.upload_key(s3client, newkeyblob, remote_filename, bucket, sse) ⇒ Object

This whole thing refused to work for hours until I base64 encoded the key on upload and decoded on download…gave invalidciphertext exception

# File 'lib/s3encrypt.rb', line 48

def self.upload_key(s3client,newkeyblob,remote_filename,bucket,sse)
    keyfile_name= remote_filename+ ".key"
    newkeyblob64 = Base64.encode64(newkeyblob)
    if sse == "none"
       s3client.put_object({body: newkeyblob64,
                             key: keyfile_name,
                             bucket: bucket
                             })
    else
      s3client.put_object({
        body: newkeyblob64,
        key: keyfile_name,
        bucket: bucket,
        server_side_encryption: sse
        })
    end
end