feat(encryption): refactor encryption provider scripts, update KMS integration, and enhance key management
This commit is contained in:
@@ -0,0 +1,78 @@
|
||||
#!/bin/bash
|
||||
|
||||
#!/bin/bash
|
||||
if [ "$#" -lt 1 ]; then
|
||||
echo "Usage: $0 <keyserver>" "[socket]"
|
||||
echo "Example: $0 https://keyserver.example.com"
|
||||
echo "Example: $0 https://keyserver.example.com /var/run/kmsplugin/socket.sock"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
KEYSERVER=$1
|
||||
SOCKET=${2:-/var/run/kmsplugin/socket.sock}
|
||||
|
||||
# if keyserver is not reachable, exit
|
||||
if ! curl -s -I $KEYSERVER > /dev/null; then
|
||||
logger "start_encryption_provider: Key server not reachable, exiting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
uuid=$(cat /proc/cpuinfo | grep 'model name' | head -1)
|
||||
uuid+=$(ip link show eth0 | grep ether | awk '{print $2}')
|
||||
uuid+=$(sudo dmidecode -s system-uuid)
|
||||
KEYID=$(echo -n "$uuid" | md5sum | awk '{print $1}')
|
||||
|
||||
logger "start_encryption_provider: Downloading key from key server,"
|
||||
LOCALKEYFILE=$(mktemp)
|
||||
curl -s -o $LOCALKEYFILE $KEYSERVER/$KEYID-encryption-service-credentials.json
|
||||
if [ $? -ne 0 ]; then
|
||||
logger "start_encryption_provider: Failed to download key from key server"
|
||||
rm $LOCALKEYFILE
|
||||
exit 1
|
||||
fi
|
||||
|
||||
logger "start_encryption_provider: Key downloaded successfully, extracting credentials"
|
||||
export AWS_ACCESS_KEY_ID=$(jq -r '.access_key' $LOCALKEYFILE)
|
||||
if [ $? -ne 0 ]; then
|
||||
logger "start_encryption_provider: Failed to extract AWS credentials from key file"
|
||||
rm $LOCALKEYFILE
|
||||
exit 1
|
||||
fi
|
||||
|
||||
export AWS_SECRET_ACCESS_KEY=$(jq -r '.secret_key' $LOCALKEYFILE)
|
||||
if [ $? -ne 0 ]; then
|
||||
logger "start_encryption_provider: Failed to extract AWS credentials from key file"
|
||||
rm $LOCALKEYFILE
|
||||
exit 1
|
||||
fi
|
||||
KEYARN=$(jq -r '.key_arn' $LOCALKEYFILE)
|
||||
if [ $? -ne 0 ]; then
|
||||
logger "start_encryption_provider: Failed to extract KMS key ARN from key file"
|
||||
rm $LOCALKEYFILE
|
||||
exit 1
|
||||
fi
|
||||
REGION=$(jq -r '.region' $LOCALKEYFILE)
|
||||
if [ $? -ne 0 ]; then
|
||||
logger "start_encryption_provider: Failed to extract region from key file"
|
||||
rm $LOCALKEYFILE
|
||||
exit 1
|
||||
fi
|
||||
|
||||
logger "start_encryption_provider: Removing key file"
|
||||
rm $LOCALKEYFILE
|
||||
|
||||
logger "start_encryption_provider: Starting encryption provider"
|
||||
mkdir {{ encryption_kms_socket_dir | dirname }} }} 2>/dev/null || true
|
||||
chmod 700 {{ encryption_kms_socket_dir | dirname }} 2>/dev/null
|
||||
|
||||
if [ ! -f /usr/local/bin/aws-encryption-provider ]; then
|
||||
logger "start_encryption_provider: Encryption provider not found, exiting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
/usr/local/bin/aws-encryption-provider --key=$KEYARN --region=$REGION --listen=$SOCKET
|
||||
if [ $? -ne 0 ]; then
|
||||
logger "start_encryption_provider: Failed to start encryption provider"
|
||||
exit 1
|
||||
fi
|
||||
exit 0
|
||||
Reference in New Issue
Block a user