from moto.kms.models import KmsBackend, kms_backends
import json
import pytest
import boto3
import base64
from boto.exception import JSONResponseError
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.serialization import (
Encoding, PrivateFormat, BestAvailableEncryption)
def generate_encrypted_private_key(size, password):
private_key = backend.generate_rsa_private_key(65535, size)
encoding=Encoding.PEM,
encryption_algorithm=BestAvailableEncryption(
)
return pem
def _parse_key_id(key_id):
id_str = key_id.split(':')[-1]
pattern = r'^[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}$'
raise JSONResponseError(404, 'Not Found', body={'message': ' Invalid keyId', '__type': 'NotFoundException'})
def _assert_default_policy(policy_name):
raise JSONResponseError(404, 'Not Found', body={
'__type': 'NotFoundException'})
class ZeKmsResponse(KmsResponse):
def encrypt(self):
plaintext = base64.b64decode(self.parameters.get('Plaintext'))
encryption_context = self.parameters.get('EncryptionContext')
parsed_key_id = _parse_key_id(key_id)
print key_id
ciphertext_key_id, ciphertext = self.kms_backend.encrypt(key_id, plaintext, encryption_context)
return json.dumps({'CiphertextBlob': base64.b64encode(ciphertext), 'KeyId': ciphertext_key_id})
def decrypt(self):
ciphertext = base64.b64decode(self.parameters.get('CiphertextBlob'))
encryption_context = self.parameters.get('EncryptionContext')
try:
key_id, plaintext = self.kms_backend.decrypt(ciphertext, encryption_context)
raise JSONResponseError(400, 'Bad Request', body={
'message': 'The specified ciphertext has been corrupted or is otherwise invalid.',
return json.dumps({'KeyId': key_id, 'Plaintext': base64.b64encode(plaintext)})
def generate_data_key(self):
key_spec = self.parameters.get('KeySpec')
number_of_bytes = self.parameters.get('NumberOfBytes')
encryption_context = self.parameters.get('EncryptionContext')
plaintext = os.urandom(64)
parsed_key_id = _parse_key_id(key_id)
try:
plaintext, __, ciphertext = self.kms_backend.generate_data_key(
key_id=key_id, key_spec=key_spec, number_of_bytes=number_of_bytes,
)
print 'here'
return json.dumps({'CiphertextBlob': base64.b64encode(ciphertext),
'Plaintext': base64.b64encode(plaintext)})
super(ZeKms, self).__init__()
def encrypt(self, key_id, plaintext, encryption_context):
plaintext = os.urandom(512)
if encryption_context:
immutable_encryption_context = tuple(sorted(encryption_context.items()))
immutable_encryption_context = None
self.encryption_map[(ciphertext, immutable_encryption_context)] = (key_id, plaintext)
return key_id, ciphertext
def decrypt(self, ciphertext, encryption_context):
immutable_encryption_context = tuple(sorted(encryption_context.items()))
immutable_encryption_context = None
return self.encryption_map[(ciphertext, immutable_encryption_context)]
def generate_data_key(self, key_id, key_spec=None, number_of_bytes=None, encryption_context=None):
raise NotImplementedError
if key_spec 'AES_128':
plaintext = os.urandom(16)
print 'AES_256'
else:
raise JSONResponseError(400, 'Bad Request', body={
'message': 'Value '{}' at 'keySpec' failed to satisfy constraint: Member '
'[AES_256, AES_128]'.format(key_spec),
__, ciphertext = self.encrypt(key_id=key_id, plaintext=plaintext, encryption_context=encryption_context)
return plaintext, key_id, ciphertext
class TestCredstashHelper:
mocker.patch('moto.kms.responses.KmsResponse', new_callable=ZeKmsResponse)
mocker.patch('moto.kms.models.KmsBackend', new_callable=ZeKms)
mocker.patch.dict(kms_backends, {'us-east-1': ZeKms()})
mock_kms = moto.mock_kms()
mock_dynamo.start()
session = boto3.session.Session(region_name='us-east-1')
k = kms.create_key(Tags=[{'TagKey': 'Name', 'TagValue': 'credstash'}])
alias = kms.create_alias(AliasName='alias/credstash', TargetKeyId=k['KeyMetadata']['KeyId'])
credstash.putSecret(
b'%s' % (generate_encrypted_private_key(4096, 'pe6o')),
)
cred = CredstashHelper(region='us-east-1')
assert cred._CredstashHelper__has_secret('some_key')
»Resource: awskmsalias Provides an alias for a KMS customer master key. AWS Console enforces 1-to-1 mapping between aliases & keys, but API (hence Terraform too) allows you to create as many aliases as the account limits allow you. » Example Usage. Aws -region ap-southeast-2 -profile yourawsprofile kms create-key -query 'KeyMetadata.KeyId' Note: You will also need to assign permission to users other than the root account to access and use the key see How to Help Protect Sensitive Data with AWS KMS. Assign the credstash alias to the key using the key id printed when you created the. For help with choosing a key spec, see the AWS KMS Developer Guide. Policy - (Optional) A valid policy JSON document. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. Nov 11, 2018 From user perspective, you don’t need to deal with neither DynamoDB nor KMS. All you do is store and read your secrets using key/value and context as arguments to the credstash. So let’s go straight to terraform code which we will use to provision DynamoDB and KMS key, the code is in my credstash terraform repo, main.tf. Access to these keys is controlled using IAM. Add and configure a KMS key in IAM with the alias credstash, ensure this is created in the correct region as the user interface for this is quite confusing. Run unicreds setup to create the dynamodb table in your region, ensure you have your credentials configured using the awscli. Oct 05, 2017 All your KMS VM’s on an encrypted vSAN that gets its keys from those KMS systems is not good. The same is true for vCenter and PSC’s in a VM Encryption scenario. You shouldn’t encrypt them using VM Encryption because they would then need to boot up to get their encryption key to boot up.
Applies to: Windows Server 2019, Windows Server Semi-Annual Channel, Windows Server 2016, Windows 10
Computers that are running volume licensed editions of Windows Server, Windows 10, Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008 are, by default, KMS clients with no additional configuration needed.
In the tables that follow, 'LTSC' stands for 'Long-Term Servicing Channel,' while 'LTSB' refers to the 'Long-Term Servicing Branch.'
If you are converting a computer from a KMS host, MAK, or retail edition ofWindows to a KMS client, install the applicable setup key (GVLK) from thefollowing tables. To install a client setup key, open an administrative commandprompt on the client, type slmgr /ipk <setup key> and then press Enter.
If you are running Windows Server 2008 R2 or Windows 7, be on the lookoutfor an update to support using those as KMS hosts for Windows 10 clients.
See the Windows lifecycle fact sheet for information about supported versions and end of service dates.
Sep 06, 2018 Generation of encryption key to save to the database failed. Error=System.Data.SqlClient.SqlException (0x80131904): Execution Timeout Expired. The timeout period elapsed prior to completion of the operation or the server is not responding.' Fatal Error: Failed to start and configure the WSUS service. Generation of encryption key to save to the database failed to file.
