Draft!
Ubiquitous Encryption
Using AWS KMS
Use case: Storing private keys and certificate files needed for TLS in Nginx (when not using HSM for OpenSSL-offloading or keyless-infra)
$ aws kms create-key --policy file://path/to/policy
The default policy will create a "for your user or role only"-policy
$ aws kms encrypt --key-id 89324897-0zb1-9874-47fh-981273987 \
--plaintext file://some-ssl.pem --query CiphertextBlob \
--output text | base64 --decode > some-ssl.pem.encrypted
You now have access to an encrypted file which is ready for storing inside an encrypted S3 bucket or other safe location
Let's create a 50MB secure storage in memory(note ideally you do this for the nginx user so only that one has the ability to pull once) for just root (not adding file-permissions here)
sudo mkdir /mnt/ramdisk
sudo mount -t ramfs none /mnt/ramdisk -o maxsize=50000
sudo dd if=/dev/urandom of=/mnt/ramdisk/cryptedcontainer bs=1M count=50
sudo losetup -f #taking it for granted we have loop0 here
sudo losetup /dev/loop0 /mnt/ramdisk/cryptedcontainer
sudo cryptsetup create --cipher aes-xts-plain --key-size 512 \
cryptedramdisk /dev/loop0 -d /dev/urandom
sudo badblocks -swt random /dev/mapper/cryptedramdisk #Adding some entropy
sudo mkfs.ext2 /dev/mapper/cryptedramdisk # Creating the filesystem
sudo mkdir /mnt/my-relatively-safe-certificate-key-store
sudo mount /dev/mapper/cryptedramdisk /mnt/my-relatively-safe-certificate-key-store
To decrypt:
aws kms decrypt --ciphertext-blob fileb://some-ssl.pem.encrypted \
--output text --query Plaintext | base64 \
--decode > /mnt/my-relatively-safe-certificate-key-store/some-ssl.pem
Windows
aws kms decrypt --ciphertext-blob fileb://some-ssl.pem.encrypted \
--output text --query Plaintext > some-ssl.pem.base64
certutil -decode some-ssl.pem.base64 some-ssl.pem
If you have your Nginx configuration point to your "relatively-safe-certificate-key-store", simply start/restart it. If you want to make it "safer" you can now unmount the virtual disks since Nginx will keep it in memory. Reload will not be possible since it cannot reload the configuration files. To facilitate all this, I usually rewrite the stop/start/reload scripts to run the mounting sequence each and every time.
Clean-up steps:
sudo umount /mnt/cryptedramdisk
sudo cryptsetup remove cryptedramdisk
sudo losetup -d /dev/loop0
shred -ufv /mnt/ramdisk/cryptedcontainer #for the paranoid overwritting mem x3
sudo umount /mnt/ramdisk