write ( file_contents_decrypted ) except IOError as e : logging. decrypt ( file_contents ) # Write the decrypted file contents try : with open ( filename + '.decrypted', 'wb' ) as file_decrypted : file_decrypted. + NUM_BYTES_FOR_LEN data_key_encrypted = file_contents # Decrypt the data key before using it data_key_plaintext = decrypt_data_key ( data_key_encrypted ) if data_key_plaintext is None : return False # Decrypt the rest of the file f = Fernet ( data_key_plaintext ) file_contents_decrypted = f. from_bytes ( file_contents, byteorder = 'big' ) \ # Add NUM_BYTES_FOR_LEN to get index of end of encrypted data key/start # of encrypted data. error ( e ) return False # The first NUM_BYTES_FOR_LEN bytes contain the integer length of the # encrypted data key. """ # Read the encrypted file into memory try : with open ( filename + '.encrypted', 'rb' ) as file : file_contents = file. decrypted :param filename: File to decrypt :return: True if file was decrypted. encrypted The decrypted file is written to. return Trueĭef decrypt_file ( filename ): """Decrypt a file encrypted by encrypt_file() The encrypted file is read from. However, # storing the value in a local variable makes it available for garbage # collection. Unfortunately, this is not possible in Python. error ( e ) return False # For the highest security, the data_key_plaintext value should be wiped # from memory. write ( file_contents_encrypted ) except IOError as e : logging.
write ( data_key_encrypted ) file_encrypted. to_bytes ( NUM_BYTES_FOR_LEN, byteorder = 'big' )) file_encrypted. encrypt ( file_contents ) # Write the encrypted data key and encrypted file contents together try : with open ( filename + '.encrypted', 'wb' ) as file_encrypted : file_encrypted. info ( 'Created new AWS KMS data key' ) # Encrypt the file f = Fernet ( data_key_plaintext ) file_contents_encrypted = f.
# Specify either the CMK ID or ARN data_key_encrypted, data_key_plaintext = create_data_key ( cmk_id ) if data_key_encrypted is None : return False logging. Each file can use its own # data key or data keys can be shared among files. error ( e ) return False # Generate a data key associated with the CMK # The data key is used to encrypt the file. """ # Read the entire file into memory try : with open ( filename, 'rb' ) as file : file_contents = file. :param filename: File to encrypt :param cmk_id: AWS KMS CMK ID or ARN :return: True if file was encrypted. encrypted Limitation: The contents of filename must fit in memory. This enables the file to be decrypted at any time in the future and by any program that has the credentials to decrypt the data key. The encrypted data key is saved with the encrypted file. error ( e ) return None, None # All existing CMKs were checked and the desired key was not found return None, Noneĭef encrypt_file ( filename, cmk_id ): """Encrypt a file using an AWS KMS CMK A data key is generated and associated with the CMK. list_keys ( Marker = response ) except ClientError as e : logging. debug ( 'A CMK with the specified description was not found' ) done = True else : # Yes, retrieve another batch try : response = kms_client. error ( e ) return None, None # Is this the key we're looking for? if key_info = desc : return cmk, cmk # Are there more keys to retrieve? if not response : # No, the CMK was not found logging. describe_key ( KeyId = cmk ) except ClientError as e : logging. error ( e ) return None, None done = False while not done : for cmk in response : # Get info about the key, including its description try : key_info = kms_client. list_keys () except ClientError as e : logging. client ( 'kms' ) try : response = kms_client. Def retrieve_cmk ( desc ): """Retrieve an existing KMS CMK based on its description :param desc: Description of CMK specified when the CMK was created :return Tuple(KeyId, KeyArn) where: KeyId: CMK ID KeyArn: Amazon Resource Name of CMK :return Tuple(None, None) if a CMK with the specified description was not found """ # Retrieve a list of existing CMKs # If more than 100 keys exist, retrieve and process them in batches kms_client = boto3.
0 kommentar(er)
