Use these bash scripts to manage your wrapped keys.
Copy and run the scripts below to concatenate and encode your wrapped keys.
Bash script
#!/bin/bash
# Check if exactly three arguments are given
if [ "$#" -ne 3 ]; then
echo "This script converts two BYOK wrapped key files prepared in legacy"
echo "format which contain only one secret key to one AES-CBC_CS1 wrapped"
echo "key file which holds two keys - one for AES encryption and one"
echo "involved in CBC_CS1 IV generation."
echo
echo "Usage: $0 inputFile1 inputFile2 outputFile"
echo "Where: inputFile1 - wrapped AES key"
echo " inputFile2 - wrapped CBC_CS1 IV related key"
echo " outputFile - wrapped AES-CBC_CS1 key ready for BYOK import"
exit 1
fi
wrappedAesKeyFile=$1
wrappedCbcCs1KeyFile=$2
outputFile=$3
# Function to extract and base64 decode wrapped keys
extract_and_decode() {
local secretLine
secretLine=$(grep '^Secret:' "$1")
if [ -z "$secretLine" ]; then
echo "No line starting with 'Secret:' found in $1"
exit 1
fi
echo "$secretLine" | awk '{print $2}' | base64 -d >> "$outputFile.temp"
}
# Extract wrapped key records from both files, decode them to binary
# and concatinate both both binary records
echo -n "" > "$outputFile.temp"
extract_and_decode "$wrappedAesKeyFile"
extract_and_decode "$wrappedCbcCs1KeyFile"
# Base64 encode concatinated binary wrapped key records and format them as Secret
echo -n "Secret: " > "$outputFile"
base64 -i "$outputFile.temp" >> "$outputFile"
rm $outputFile.temp
echo "AES-CBC_CS1 wrapped key is written to $outputFile"
Powershell script
param (
[string]$wrappedAesKey,
[string]$wrappedIvKey,
[string]$outputFile
)
if (-not $wrappedAesKey -or -not $wrappedIvKey -or -not $outputFile) {
$scriptName = $MyInvocation.MyCommand.Name
Write-Host "This script converts two BYOK wrapped key files prepared in legacy"
Write-Host "format which contain only one secret key to one AES-CBC_CS1 wrapped"
Write-Host "key file which holds two keys - one for AES encryption and one"
Write-Host "involved in CBC_CS1 IV generation."
Write-Host
Write-Host "Usage:"
Write-Host ".\$scriptName -wrappedAesKey 'path\to\file1' -wrappedIvKey 'path\to\file2' -outputFile 'path\to\outputFile'"
Write-Host "Where: file1 - wrapped AES key"
Write-Host " file2 - wrapped CBC_CS1 IV related key"
Write-Host " outputFile - wrapped AES-CBC_CS1 key ready for BYOK import"
exit
}
function Get-Base64String {
param ([string]$filePath)
$content = Get-Content $filePath
foreach ($line in $content) {
if ($line.StartsWith("Secret:")) {
$parts = $line.Split(' ')
if ($parts.Length -ge 2) {
return $parts[1]
}
}
}
return $null
}
$base64StringAesKey = Get-Base64String -filePath $wrappedAesKey
$base64StringIvKey = Get-Base64String -filePath $wrappedIvKey
if ($base64StringAesKey -and $base64StringIvKey) {
$bytesAesKey = [System.Convert]::FromBase64String($base64StringAesKey)
$bytesIvKey = [System.Convert]::FromBase64String($base64StringIvKey)
$concatenatedKeysBytes = $bytesAesKey + $bytesIvKey
$concatenatedKeysBase64 = [System.Convert]::ToBase64String($concatenatedKeysBytes)
"Secret: $concatenatedKeysBase64" | Set-Content $outputFile
} else {
Write-Host "One of the files does not contain a valid 'Secret:' line."
}
Also see the page section How to use wrapped keys.