Security¶
KMS¶
This library is used to implement envelope encryption on data objects. The idea is that there is a master key store in the AWS KMS system which is used to encrypt unique encryption keys which have been used to encrypt data objects.
Usage looks something like this:
from AwAws.Security.kms import KMS
test_obj = {
'this': 'is a test',
'with': ['a', 'list', 'of', 'items'],
'and': {
'some': 'nested info'
}
}
kms = KMS()
kms.set_encryption_regions('us-east-2')
kms.set_master_keys('arn:aws:kms:us-east-2:acct_num:key/key_id')
cipher_obj = kms.encrypt_object(test_obj)
decrypted_obj = kms.decrypt_object(cipher_obj)
# Check it
print('ENCRYPTED', cipher_obj)
print('DECRYPTED', decrypted_obj)
assert test_obj == decrypted_obj
print('Yeah! Got it!')
-
class
AwAws.Security.kms.KMS(region_name=None)¶ - Parameters
region_name – the region we are using
Note
There are two type of regions being used here:
the region we are connecting to to run the code
the regions(s) where we want to run the encryption since KMS encryption keys are region specific and cannot be copied across regions
Note
in order to use multiple regions, multiple master_keys also need to be defined
-
decrypt_it(cipher_obj)¶ decrypt encrypted text
-
decrypt_object(cipher_object)¶ returns python object from a given cipher object
-
encrypt_it(text_to_encrypt)¶ encrypt a block of text
-
encrypt_object(obj_to_encrypt)¶ encrypt a python object
-
set_encryption_regions(regions=[])¶ master encryption keys are locked to a specific region
-
set_key_provider()¶ called by en(de)crypt_it(), get the master key provider
-
set_master_keys(master_keys=[])¶ list of master keys to use