code-dumps/aws/kms-external-km.sh

#!/bin/bash
# Script that generates symetric kms key, encrypt a self-generated key material, and import it to kms

KEYID=$(aws kms create-key --origin EXTERNAL \
--description "Customer managed key with externally generated key material" \
--tags TagKey=CreatedWith,TagValue=kms-external-km.sh | jq -cr .KeyMetadata.KeyId)

aws kms get-parameters-for-import \
    --key-id $KEYID \
    --wrapping-algorithm RSAES_OAEP_SHA_256 \
    --wrapping-key-spec RSA_4096 > import-parameters.json
jq -cr .ImportToken import-parameters.json | base64 -d > ImportToken.bin
jq -cr .PublicKey import-parameters.json | base64 -d > WrappingPublicKey.bin

# Generate key material. Replace this with material from HSM if needed
openssl rand -out PlaintextKeyMaterial.bin 32
openssl pkeyutl \
    -encrypt \
    -in PlaintextKeyMaterial.bin \
    -out EncryptedKeyMaterial.bin \
    -inkey WrappingPublicKey.bin \
    -keyform DER \
    -pubin \
    -pkeyopt rsa_padding_mode:oaep \
    -pkeyopt rsa_oaep_md:sha256 \
    -pkeyopt rsa_mgf1_md:sha256

aws kms import-key-material --key-id $KEYID \
    --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
    --import-token fileb://ImportToken.bin \
    --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

aws kms describe-key --key-id $KEYID
rm -f WrappingPublicKey.bin ImportToken.bin PlaintextKeyMaterial.bin