Hash AWS secret value with Argon Algorithm on EC2
I have a personal and password protected Jupyter Notebook running on an EC2 instance built with Terraform.
At instance creation I am retrieving and storing password with the help of user_data:
echo "c.ServerApp.password = u'$(aws secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.jupyter.arn} --query SecretString --output text)'" >> /home/ec2-user/.jupyter/jupyter_notebook_config.py
It works, with the disadvantage that I have to argon-encrypt the secret before storing it in AWS Secrets Manager.
I am therefore looking for a way to store it in plain text in AWS secret manager and put some local encryption mechanism in between before saving in Jupyter config file. Ideally the new script would be:
PLAIN_PWD=$(aws secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.jupyter.arn} --query SecretString --output text)
ARGON_HASHED_PWD=some-built-in-linux-function($PLAIN_PWD)
echo "c.ServerApp.password = u'$ARGON_HASHED_PWD)'" >> /home/ec2-user/.jupyter/jupyter_notebook_config.py
I was wondering if an EC2 instance could be capable of encrypting the password, either with as is configuration or with the help of some package (i.e. yum install).
In particular an utility for hashing a password is already provided as a built-in in Jupiter installation.
This is the fragment of such utility:
if algorithm == "argon2":
ph = argon2.PasswordHasher(
memory_cost=10240,
time_cost=10,
parallelism=8,
)
h_ph = ph.hash(passphrase)
return ":".join((algorithm, h_ph))
