用于aws的加密原语
murmuration的Python项目详细描述
杂音
用于AWS KMS的加密原语
AES+Galois计数器模式加密
frommurmurationimportgcmkey='this is my secret encryption key'plaintext='the quick brown fox jumps over the lazy dog'ciphertext=gcm.encrypt(plaintext,key,'header')decrypted=gcm.decrypt(ciphertext,key)assertdecrypted==plaintext
使用KMS加密(用于AWS)
您还可以将kms用作加密/解密服务。这是真的
产生KMS成本并要求设置KMS。region
和profile
参数
不必指定。如果未指定这些值,则
推断出in the order specified by boto3:
- Passing credentials as parameters in the
boto.client()
method- Passing credentials as parameters when creating a
Session
object- Environment variables
- Shared credential file (
~/.aws/credentials
)- AWS config file (
~/.aws/config
)- Assume Role provider
- Boto2 config file (
/etc/boto.cfg
and~/.boto
)- Instance metadata service on an Amazon EC2 instance that has an IAM role configured.
frommurmurationimportkmsplaintext='the quick brown fox jumps over the lazy dog'key_alias='my kms key alias'ciphertext=kms.encrypt(plaintext,key_alias,region='us-west-1',profile='company')decrypted=kms.decrypt(ciphertext,region='us-west-1',profile='company')assertdecrypted==plaintext
使用KMS包装加密(用于AWS)
您还可以使用包装的KMS数据密钥进行加密,以保护底层
KMS键。使用此Does功能将产生KMS成本并需要KMS
设置。无需指定region
和profile
参数。
如果未指定这些值,则
推断出in the order specified by boto3:
- Passing credentials as parameters in the
boto.client()
method- Passing credentials as parameters when creating a
Session
object- Environment variables
- Shared credential file (
~/.aws/credentials
)- AWS config file (
~/.aws/config
)- Assume Role provider
- Boto2 config file (
/etc/boto.cfg
and~/.boto
)- Instance metadata service on an Amazon EC2 instance that has an IAM role configured.
frommurmurationimportkms_wrappedplaintext='the quick brown fox jumps over the lazy dog'key_alias='my kms key alias'ciphertext=kms_wrapped.encrypt(plaintext,key_alias,region='us-west-1',profile='company')decrypted=kms_wrapped.decrypt(ciphertext,region='us-west-1',profile='company')assertdecrypted==plaintext