From 58094214fcc04bb484a7dcc79364ca358eac209f Mon Sep 17 00:00:00 2001 From: Ram Nadella Date: Sat, 13 Feb 2021 12:07:45 -0500 Subject: [PATCH] Look for the data encryption key in an env var before reading from file AWS Keystore uses KMS for the key encryption key and data encryption key is local to the code / runtime. This change adds the option to provide the data encryption using environment varibles (in addition to files) to allow for use cases where you don't want to put the keys on the filesystem --- lib/symmetric_encryption/keystore/aws.rb | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/lib/symmetric_encryption/keystore/aws.rb b/lib/symmetric_encryption/keystore/aws.rb index 09de2d4..06defff 100644 --- a/lib/symmetric_encryption/keystore/aws.rb +++ b/lib/symmetric_encryption/keystore/aws.rb @@ -125,12 +125,16 @@ def initialize(key_files:, master_key_alias:, region: nil, key_encrypting_key: n # Reads the data key environment variable, if present, otherwise a file. # Decrypts the key using the master key for this region. def read - key_file = key_files.find { |i| i[:region] == region } - raise(SymmetricEncryption::ConfigError, "region: #{region} not available in the supplied key_files") unless key_file - - file_name = key_file[:file_name] + key_env_var = "#{app_name}_#{environment}_#{region}_v#{version}".upcase.tr("-", "_") + if ENV[key_env_var].present? + encrypted_data_key = decode64(ENV[key_env_var]) + else + key_file = key_files.find { |i| i[:region] == region } + raise(SymmetricEncryption::ConfigError, "region: #{region} not available in the supplied key_files") unless key_file + file_name = key_file[:file_name] + encrypted_data_key = read_file_and_decode(file_name) + end - encrypted_data_key = read_file_and_decode(file_name) aws(region).decrypt(encrypted_data_key) end