UPD: Replacing kms-create-import-key.sh

aws/kms-create-import-key.sh

@@ -1,33 +0,0 @@
-#!/bin/bash
-
-if [ $# -lt 2 ]; then
-  echo "This tool requires openssl, awscli, jq and base64."
-  echo "One can generate a key using openssl rand -out PlaintextKeyMaterial.bin 32"
-  echo "Usage: key-import.sh key-file key-alias"
-  exit 0
-fi
-
-keyAlias=$2
-
-aws kms create-key --origin EXTERNAL --description "Customer managed key" | jq -cr .KeyMetadata.KeyId > keyid.txt
-
-aws kms get-parameters-for-import --key-id $(cat keyid.txt) \
-                                    --wrapping-algorithm RSAES_OAEP_SHA_256 \
-                                    --wrapping-key-spec RSA_2048 > import.json
-
-cat import.json | jq -cr .PublicKey | base64 -d > PublicKey.bin
-cat import.json  | jq -cr .ImportToken | base64 -d > ImportToken.bin
-
-openssl pkeyutl -encrypt -in $1 -inkey PublicKey.bin -keyform DER \
--pubin -out EncryptedKeyMaterial.bin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
-
-aws kms import-key-material --key-id $(cat keyid.txt) \
-                              --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
-                              --import-token fileb://ImportToken.bin \
-                              --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE
-
-aws kms create-alias --alias-name "alias/$keyAlias" --target-key-id $(cat keyid.txt)
-aws kms describe-key --key-id $(cat keyid.txt)
-
-rm -f EncryptedKeyMaterial.bin ImportToken.bin PublicKey.bin import.json keyid.txt
-

aws/kms-external-km.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# Script that generates symetric kms key, encrypt a self-generated key material, and import it to kms
+
+KEYID=$(aws kms create-key --origin EXTERNAL \
+--description "Customer managed key with externally generated key material" \
+--tags TagKey=CreatedWith,TagValue=kms-external-km.sh | jq -cr .KeyMetadata.KeyId)
+
+aws kms get-parameters-for-import \
+    --key-id $KEYID \
+    --wrapping-algorithm RSAES_OAEP_SHA_256 \
+    --wrapping-key-spec RSA_4096 > import-parameters.json
+jq -cr .ImportToken import-parameters.json | base64 -d > ImportToken.bin
+jq -cr .PublicKey import-parameters.json | base64 -d > WrappingPublicKey.bin
+
+# Generate key material. Replace this with material from HSM if needed
+openssl rand -out PlaintextKeyMaterial.bin 32
+openssl pkeyutl \
+    -encrypt \
+    -in PlaintextKeyMaterial.bin \
+    -out EncryptedKeyMaterial.bin \
+    -inkey WrappingPublicKey.bin \
+    -keyform DER \
+    -pubin \
+    -pkeyopt rsa_padding_mode:oaep \
+    -pkeyopt rsa_oaep_md:sha256 \
+    -pkeyopt rsa_mgf1_md:sha256
+
+aws kms import-key-material --key-id $KEYID \
+    --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
+    --import-token fileb://ImportToken.bin \
+    --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE
+
+aws kms describe-key --key-id $KEYID
+rm -f WrappingPublicKey.bin ImportToken.bin PlaintextKeyMaterial.bin