Metadata-Version: 2.0
Name: kmstool
Version: 0.7.0
Summary: A tool for storing and retrieving encrypted data using the AWS Key Management Service
Home-page: http://github.com/slank/kmstool
Author: Matthew Wedgwood
Author-email: mwedgwood@gmail.com
License: MIT
Keywords: amazon,aws,kms,encryption,key,management
Platform: UNKNOWN
Classifier: Development Status :: 3 - Alpha
Classifier: Topic :: Utilities
Classifier: License :: OSI Approved :: MIT License
Requires-Dist: botocore (>=0.80.0)
Requires-Dist: pycrypto (>=2.6.1)

# kmstool

kmstool helps you encrypt data using the Amazon Key Management Service in AWS.

## Installing

```
pip install .
```

## Usage

kmstool has two modes: pack and unpack

### store

```
kmstool pack <key_id> <source>
```

This command takes a KMS key ID, produces a data key, and uses that key to
encrypt the file <source>. An encrypted copy of the data key is stored, along
with the encrypted files, in the current directory.

### retrieve

```
kmstool retrieve <source>
```

This command reads the contents of <source> passing the encrypted data key to
KMS, and using the resulting plaintext key to decrypt the original data. The
files are extracted to the current directory.

### Additional Options

Additional options are available: see `kmstool -h` for usage information.

Unless otherwise specified, AWS credentials are determined by first examining
the environment, then a search of the AWS metadata service, and finally using
the "default" botocore profile.

```
--profile
    AWS (botocore) profile to use when contacting the KMS.
--region
    AWS region to connect to for KMS.
```

An optional encryption context may be passed when storing files. The same
context must be passed when retrieving them.

```
-c --encryption-context foo=bar,baz=qux
```

## Internals

The output of `kmstool pack` is a gzipped GNU tar file containing the
KMS-encrypted data key plus an encrypted tar.gz of the source data. The
encrypted data is stored as follows (numbers are byte offsets).

```
0-15 Initialization Vector
16-N Encrypted data:
     0-15 Original filesize
     16-N Original data
```


