"ssssh" is a small tool that can be used to encrypt and decrypt secrets, using the AWS "Key Management Service" (KMS).
Encrypt secrets like this:
ssssh encrypt KEY-ID < secrets.txt > secrets.encrypted
Later, you can decrypt them:
ssssh decrypt < secrets.encrypted > secrets.txt
KEY-ID can be the id or ARN of a KMS master key, or alias prefixed by "alias/". See document on Encrypt for more details.
Naturally, suitable AWS credentials must be provided (via environment variables, command-line options, or EC2 instance profile).
"ssssh" can only encrypt small amounts of data; up to 4 KB.
"ssssh exec" is a command shim that makes it easy to use secrets transported
via the (Unix) process environment. It decrypts any environment variables
prefixed by "KMS_ENCRYPTED_", and executes a specified command.
For example:
$ export KMS_ENCRYPTED_DB_PASSWORD=$(ssssh encrypt alias/app-secrets 'seasame')
$ ssssh exec -- env | grep PASSWORD
KMS_ENCRYPTED_DB_PASSWORD=CiAbQLOo2VC4QTV/Ng986wsDSJ0srAe6oZnLyzRT6pDFWRKOAQEBAgB4G0CzqNlQuEE1fzYPfOsLA0idLKwHuqGZy8s0U+qQxVkAAABlMGMGCSqGSIb3DQEHBqBWMFQCAQAwTwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzfFR0tsHRq18JUhMcCARCAImvuMNYuHUut3BT7sZs9a31qWcmOBUBXYEsD+kx2GxUxBPE=
DB_PASSWORD=seasame
In this example, "ssssh exec":
$KMS_ENCRYPTED_DB_PASSWORD in the environment$DB_PASSWORDenv"ssssh exec" works well as an entrypoint for Docker images, e.g.
# Include "ssssh" to decode KMS_ENCRYPTED_STUFF
RUN gem install ssssh
ENTRYPOINT ["ssssh", "exec", "--"]
If you'd rather install a Python interpreter than a Ruby one, secrets may also be decrypted using the AWS CLI.
base64 -d < secrets.encrypted > /tmp/secrets.bin
aws kms decrypt --ciphertext-blob fileb:///tmp/secrets.bin --output text --query Plaintext | base64 -d > secrets.txt
If you'd rather not install an interpreter at all, there's a Go-lang port of "ssssh":
ssssh exec subcommand.$KMS_ENCRYPTION_CONTEXT.--context option).FAQs
Unknown package
We found that ssssh demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.
Security News
Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.
Security News
CISOs are racing to adopt AI for cybersecurity, but hurdles in budgets and governance may leave some falling behind in the fight against cyber threats.