@autotelic/envelope-encryptor
v0.6.8
Published
Envelope encryption with configurable KMS
Downloads
76
Readme
envelope-encryptor
Envelope encryption with configurable KEK (Key Encryption Key) provider.
Installation
npm install @autotelic/envelope-encryptor
Usage
AWS KMS
Using AWS KMS
import { createEnvelopeEncryptor, awsKms } from '@autotelic/envelope-encryptor'
const {
AWS_REGION,
KMS_KEY_ID,
KMS_ACCESS_KEY_ID,
KMS_SECRET_ACCESS_KEY
} = process.env
const keyService = awsKms(KMS_KEY_ID, {
region: AWS_REGION,
credentials: {
accessKeyId: KMS_ACCESS_KEY_ID,
secretAccessKey: KMS_SECRET_ACCESS_KEY
}
})
const encryptor = createEnvelopeEncryptor(keyService)
const { encrypt, decrypt } = encryptor
const {
ciphertext,
key,
salt
} = await encrypt('plaintext')
const plaintext = await decrypt({
ciphertext: ciphertext.toString(),
key,
salt
})
KEK from an env variable
If your KEK will be e.g. stored in a secrets manager you can pass
it as a base64 encoded string. The key length must be 32 bytes,
you can generate a suitable one like this:
crypto.randomBytes(32).toString('base64')
import { createEnvelopeEncryptor, kekService } from '@autotelic/envelope-encryptor'
const keyService = kekService(process.env.KEY_ENCRYPTION_KEY)
const { encrypt, decrypt } = createEnvelopeEncryptor(keyService)
const {
ciphertext,
key,
salt
} = await encrypt('plaintext')
const plaintext = await decrypt({
ciphertext: ciphertext.toString(),
key,
salt
})
In development and testing
If you don't really need to use an actual KEK, e.g. in development or for testing, but you do need to generate DEKs (Data Encryption Key) to work with, there is a dummy KMS service. The "encrypted" key is just a base64 representation of a random buffer. This should definitely not be used in production!
import { createEnvelopeEncryptor, dummyKms } from '@autotelic/envelope-encryptor'
const keyService = dummyKms()
const { encrypt, decrypt } = createEnvelopeEncryptor(keyService)
const {
ciphertext,
key,
salt
} = await encrypt('plaintext')
const plaintext = await decrypt({
ciphertext: ciphertext.toString(),
key,
salt
})
Custom Key Service
You can implement a custom key service to pass to
createEnvelopeEncryptor
. It should be an object that
provides two async functions, getDataKey
and decryptDataKey
.
getDataKey
accepts no arguments and should return a
an object containing the encrypted data encryption key (which has been encrypted by the KEK),
and the plaintext data encryption key.
decryptDataKey
accepts an encrypted data key and should
return the plaintext data encryption key.
See the key service implementations in this module for examples.