HistoryPurge: Clearing 219 old commits

aws/kms-create-import-key.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+if [ $# -lt 2 ]; then
+  echo "This tool requires openssl, awscli, jq and base64."
+  echo "One can generate a key using openssl rand -out PlaintextKeyMaterial.bin 32"
+  echo "Usage: key-import.sh key-file key-alias"
+  exit 0
+fi
+
+keyAlias=$2
+
+aws kms create-key --origin EXTERNAL --description "Customer managed key" | jq -cr .KeyMetadata.KeyId > keyid.txt
+
+aws kms get-parameters-for-import --key-id $(cat keyid.txt) \
+                                    --wrapping-algorithm RSAES_OAEP_SHA_256 \
+                                    --wrapping-key-spec RSA_2048 > import.json
+
+cat import.json | jq -cr .PublicKey | base64 -d > PublicKey.bin
+cat import.json  | jq -cr .ImportToken | base64 -d > ImportToken.bin
+
+openssl pkeyutl -encrypt -in $1 -inkey PublicKey.bin -keyform DER \
+-pubin -out EncryptedKeyMaterial.bin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
+
+aws kms import-key-material --key-id $(cat keyid.txt) \
+                              --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
+                              --import-token fileb://ImportToken.bin \
+                              --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE
+
+aws kms create-alias --alias-name "alias/$keyAlias" --target-key-id $(cat keyid.txt)
+aws kms describe-key --key-id $(cat keyid.txt)
+
+rm -f EncryptedKeyMaterial.bin ImportToken.bin PublicKey.bin import.json keyid.txt
+