Use these bash scripts to manage your wrapped keys.

Copy and run the scripts below to concatenate and encode your wrapped keys.

#!/bin/bash

# Check if exactly three arguments are given

if [ "$#" -ne 3 ]; then

    echo "This script converts two BYOK wrapped key files prepared in legacy"

    echo "format which contain only one secret key to one AES-CBC_CS1 wrapped"

    echo "key file which holds two keys - one for AES encryption and one"

    echo "involved in CBC_CS1 IV generation."

    echo

    echo "Usage: $0 inputFile1 inputFile2 outputFile"

    echo "Where: inputFile1 - wrapped AES key"

    echo "       inputFile2 - wrapped CBC_CS1 IV related key"

    echo "       outputFile - wrapped AES-CBC_CS1 key ready for BYOK import"

    exit 1

fi

wrappedAesKeyFile=$1

wrappedCbcCs1KeyFile=$2

outputFile=$3

# Function to extract and base64 decode wrapped keys

extract_and_decode() {

    local secretLine

    secretLine=$(grep '^Secret:' "$1")

    if [ -z "$secretLine" ]; then

        echo "No line starting with 'Secret:' found in $1"

        exit 1

    fi

    echo "$secretLine" | awk '{print $2}' | base64 -d >> "$outputFile.temp"

}

# Extract wrapped key records from both files, decode them to binary 

# and concatinate both both binary records

echo -n "" > "$outputFile.temp"

extract_and_decode "$wrappedAesKeyFile"

extract_and_decode "$wrappedCbcCs1KeyFile"

# Base64 encode concatinated binary wrapped key records and format them as Secret

echo -n "Secret: " > "$outputFile"

base64 -i "$outputFile.temp" >> "$outputFile"

rm $outputFile.temp

echo "AES-CBC_CS1 wrapped key is written to $outputFile"

param (

    [string]$wrappedAesKey,

    [string]$wrappedIvKey,

    [string]$outputFile

)

if (-not $wrappedAesKey -or -not $wrappedIvKey -or -not $outputFile) {

    $scriptName = $MyInvocation.MyCommand.Name

    Write-Host "This script converts two BYOK wrapped key files prepared in legacy"

    Write-Host "format which contain only one secret key to one AES-CBC_CS1 wrapped"

    Write-Host "key file which holds two keys - one for AES encryption and one"

    Write-Host "involved in CBC_CS1 IV generation."

    Write-Host

    Write-Host "Usage:"

    Write-Host ".\$scriptName -wrappedAesKey 'path\to\file1' -wrappedIvKey 'path\to\file2' -outputFile 'path\to\outputFile'"

    Write-Host "Where: file1 - wrapped AES key"

    Write-Host "       file2 - wrapped CBC_CS1 IV related key"

    Write-Host "       outputFile - wrapped AES-CBC_CS1 key ready for BYOK import"

    exit

}

function Get-Base64String {

    param ([string]$filePath)

    $content = Get-Content $filePath

    foreach ($line in $content) {

        if ($line.StartsWith("Secret:")) {

            $parts = $line.Split(' ')

            if ($parts.Length -ge 2) {

                return $parts[1]

            }

        }

    }

    return $null

}

$base64StringAesKey = Get-Base64String -filePath $wrappedAesKey

$base64StringIvKey = Get-Base64String -filePath $wrappedIvKey

if ($base64StringAesKey -and $base64StringIvKey) {

    $bytesAesKey = [System.Convert]::FromBase64String($base64StringAesKey)

    $bytesIvKey = [System.Convert]::FromBase64String($base64StringIvKey)

    $concatenatedKeysBytes = $bytesAesKey + $bytesIvKey

    $concatenatedKeysBase64 = [System.Convert]::ToBase64String($concatenatedKeysBytes)

    "Secret: $concatenatedKeysBase64" | Set-Content $outputFile

} else {

    Write-Host "One of the files does not contain a valid 'Secret:' line."

}

Also see the page section How to use wrapped keys.