module S3encrypt

decrypt_key(keyvalue,app_context) click to toggle source

# File lib/s3encrypt.rb, line 89
def self.decrypt_key(keyvalue,app_context)
  kms_client = Aws::KMS::Client.new()
  plainkey = kms_client.decrypt(
    ciphertext_blob: keyvalue,
    encryption_context: {
      "Application" => app_context,
      }
  )
    return plainkey.plaintext
end

fetch_file(s3client,plaintext_key,local_filename,remote_filename,bucket) click to toggle source

# File lib/s3encrypt.rb, line 111
def self.fetch_file(s3client,plaintext_key,local_filename,remote_filename,bucket)
  begin
    s3enc = Aws::S3::Encryption::Client.new(encryption_key: plaintext_key,
                                            client: s3client)
    res = s3enc.get_object(bucket: bucket,
                           key: remote_filename,
                           response_target: local_filename)
  rescue Aws::S3::Errors::ServiceError => e
    puts "retrieval failed: #{e}"
  end
end

fetch_key(s3client,filename,bucket) click to toggle source

# File lib/s3encrypt.rb, line 101
def self.fetch_key(s3client,filename,bucket)
    keyfile_name= filename+ ".key"
    keyvalue=s3client.get_object(
    key: keyfile_name,
    bucket: bucket
    )
    keyval64 = Base64.decode64(keyvalue.body.read)
    return keyval64
end

fetch_new_key(app_context, master_key) click to toggle source

Put your KMS master key id under key_id

# File lib/s3encrypt.rb, line 30
def self.fetch_new_key(app_context, master_key)
  kms_client = Aws::KMS::Client.new()
  genkey = kms_client.generate_data_key({
    key_id: master_key,
    key_spec: "AES_256",
    encryption_context: {
      "Application" => app_context,
      }
    })
    return genkey.ciphertext_blob, genkey.plaintext
end

getfile(local_filename, remote_filename, bucket, app_context) click to toggle source

# File lib/s3encrypt.rb, line 123
def self.getfile(local_filename, remote_filename, bucket, app_context)
  s3client = Aws::S3::Client.new()
  keyval= fetch_key(s3client,remote_filename,bucket)
  keyvalue = decrypt_key(keyval,app_context)
  fetch_file(s3client,keyvalue,local_filename,remote_filename,bucket)
end

getfile_as_json(remote_filename, bucket, app_context) click to toggle source

Helper method that bypasses writing a file to the system and returns a JSON object More for accessiing the data programatically so that a file does not have to be written and cleaned up

# File lib/s3encrypt.rb, line 134
def self.getfile_as_json(remote_filename, bucket, app_context)
  resp = getfile(nil, remote_filename, bucket, app_context)
  return JSON.parse(resp.body.string)
end

getfile_as_string(remote_filename, bucket, app_context) click to toggle source

Helper method that bypasses writing a file to the system and returns a string More for accessiing the data programatically so that a file does not have to be written and cleaned up

# File lib/s3encrypt.rb, line 143
def self.getfile_as_string(remote_filename, bucket, app_context)
  resp = getfile(nil, remote_filename, bucket, app_context)
  return resp.body.string
end

putfile(local_filename, remote_filename, bucket, app_context, master_key, sse="none") click to toggle source

# File lib/s3encrypt.rb, line 148
def self.putfile(local_filename, remote_filename, bucket, app_context, master_key, sse="none")
  newkeyblob, newkeyplain = fetch_new_key(app_context, master_key)
  #write_enc_key(newkeyblob,filename)
  s3client = Aws::S3::Client.new()
  upload_key(s3client,newkeyblob,remote_filename,bucket,sse)
  upload_file(s3client,newkeyplain,local_filename,remote_filename,bucket,sse)
end

putfile_ssekms(local_filename, remote_filename, bucket, app_context, master_key) click to toggle source

# File lib/s3encrypt.rb, line 156
def self.putfile_ssekms(local_filename, remote_filename, bucket, app_context, master_key)
  putfile(local_filename, remote_filename, bucket, app_context, master_key,"aws:kms")
end

putfile_sses3(local_filename, remote_filename, bucket, app_context, master_key) click to toggle source

# File lib/s3encrypt.rb, line 160
def self.putfile_sses3(local_filename, remote_filename, bucket, app_context, master_key)
  putfile(local_filename, remote_filename, bucket, app_context, master_key,"AES256")
end

upload_file(s3client,plaintext_key,local_filename,remote_filename,bucket,sse) click to toggle source

# File lib/s3encrypt.rb, line 67
def self.upload_file(s3client,plaintext_key,local_filename,remote_filename,bucket,sse)
  begin
    filebody = File.new(local_filename)
    s3enc = Aws::S3::Encryption::Client.new(encryption_key: plaintext_key,
                                            client: s3client)
    if sse == "none"
      res = s3enc.put_object(bucket: bucket,
                             key: remote_filename,
                             body: filebody
                             )
    else
    res = s3enc.put_object(bucket: bucket,
                           key: remote_filename,
                           server_side_encryption: sse,
                           body: filebody
                           )
    end
  rescue Aws::S3::Errors::ServiceError => e
    puts "upload failed: #{e}"
  end
end

upload_key(s3client,newkeyblob,remote_filename,bucket,sse) click to toggle source

This whole thing refused to work for hours until I base64 encoded the key on upload and decoded on download…gave invalidciphertext exception

# File lib/s3encrypt.rb, line 48
def self.upload_key(s3client,newkeyblob,remote_filename,bucket,sse)
    keyfile_name= remote_filename+ ".key"
    newkeyblob64 = Base64.encode64(newkeyblob)
    if sse == "none"
       s3client.put_object({body: newkeyblob64,
                             key: keyfile_name,
                             bucket: bucket
                             })
    else
      s3client.put_object({
        body: newkeyblob64,
        key: keyfile_name,
        bucket: bucket,
        server_side_encryption: sse
        })
    end
end

Constants

Public Class Methods