gcloud-kms-helper
v0.0.6
Published
A simple encryptor - decryptor using KMS for the GCloud functions
Downloads
15
Maintainers
Readme
gcloud-kms-helper
A simple NPM module for managing the encryption - decryption using Google Cloud KMS.
What is it?
The gcloud-kms-helper
provides a CLI tool for encrypting - decrypting your secrets.
It can be also used directly in your code.
The motivation for creating this NPM module is to be able to have a re-usable solution for dealing with secrets when using Google Cloud Functions
How does it work?
Before using the module be sure that you setup the gcloud
binary on your laptop and that you are authenticated.
The module needs the following environment variable: GOOGLE_APPLICATION_CREDENTIALS
.
When your environment is ready, move to your project directory and run the following command:
$> npm install --save gcloud-kms-helper
The module supports the following environment variables:
PROJECT_ID
: your Google Cloud project IDPROJECT_LOCATION
: your Google Cloud project location (default: europe-west1)KEY_RING_NAME
: your Google Cloud KMS key ring nameCRYPTO_KEY_NAME
: your Google Cloud KMS crypto key name
Using the CLI
The CLI tool supports two commands: encrypt
and decrypt
.
encrypt
Encrypt and write a message in to a file.
Usage:
$> kms-helper encrypt [options] <message to encrypt> <output file>
If you aren't using the environment variables or if you wanna override the value set in your environment you can use the following options:
-p, --project_id
: your Google Cloud project ID-l, --project_location
: your Google Cloud project location (default: europe-west1)-r, --key_ring_name
: your Google Cloud KMS key ring name-c, --crypto_key_name
: your Google Cloud KMS crypto key name
decrypt
Decrypt a message in a file.
Usage:
$> kms-helper decrypt [options] <input file>
If you aren't using the environment variables or if you wanna override the value set in your environment you can use the following options:
-p, --project_id
: your Google Cloud project ID-l, --project_location
: your Google Cloud project location (default: europe-west1)-r, --key_ring_name
: your Google Cloud KMS key ring name-c, --crypto_key_name
: your Google Cloud KMS crypto key name
Using the API
You can import the encrypt / decrypt methods in your script:
encrypt(message, outputFile, options)
argurments
message
: string. Required. The message to encryptoutputFile
: string. Required. The path of the file where to output the encrypted message.options
: object. Required. The options mentionned before.
returned value
- Promise
'use strict';
/**
* If you are using the module in a Google Cloud Function you will need the following *ugly* hack
*/
process.env.GOOGLE_APPLICATION_CREDENTIALS = '~/path/to/my/cred';
const options = {
project_id: process.env.PROJECT_ID || 'my-project',
location: process.env.PROJECT_LOCATION || 'europe-west1',
key_ring_name: process.env.KEY_RING_NAME || 'key-ring-name',
crypto_key_name: process.env.CRYPTO_KEY_NAME || 'crypto-key-name',
};
const encrypt = require('gcloud-kms-helper').encrypt;
encrypt('my message to encrypt', './output.key', options)
.then(() => console.log('done.'))
.catch((err) => console.error(`Something went wrong: ${err.message}`));
decrypt(message, outputFile, options)
argurments
inputFile
: string. Required. The path of the file where we can find the message to decrypt.options
: object. Required. The options mentionned before.
returned value
- Promise
'use strict';
/**
* If you are using the module in a Google Cloud Function you will need the following *ugly* hack
*/
process.env.GOOGLE_APPLICATION_CREDENTIALS = '~/path/to/my/cred';
const options = {
project_id: process.env.PROJECT_ID || 'my-project',
location: process.env.PROJECT_LOCATION || 'europe-west1',
key_ring_name: process.env.KEY_RING_NAME || 'key-ring-name',
crypto_key_name: process.env.CRYPTO_KEY_NAME || 'crypto-key-name',
};
const decrypt = require('gcloud-kms-helper').decrypt;
decrypt('./output.key', options)
.then((myDecryptedValue) => console.log(`The secret is: ${myDecryptedValue}`))
.catch((err) => console.error(`Something went wrong: ${err.message}`));
decryptFromBuffer(message, outputFile, options)
argurments
buff
: string or buffer. Required. The buffer or the string to decrypt.options
: object. Required. The options mentionned before.
returned value
- Promise
'use strict';
/**
* If you are using the module in a Google Cloud Function you will need the following *ugly* hack
*/
process.env.GOOGLE_APPLICATION_CREDENTIALS = '~/path/to/my/cred';
const options = {
project_id: process.env.PROJECT_ID || 'my-project',
location: process.env.PROJECT_LOCATION || 'europe-west1',
key_ring_name: process.env.KEY_RING_NAME || 'key-ring-name',
crypto_key_name: process.env.CRYPTO_KEY_NAME || 'crypto-key-name',
};
const decryptFromBuffer = require('gcloud-kms-helper').decryptFromBuffer;
decryptFromBuffer(Buffer.from('bXlzZWNyZXQK', 'base64'), options)
.then((myDecryptedValue) => console.log(`The secret is: ${myDecryptedValue}`))
.catch((err) => console.error(`Something went wrong: ${err.message}`));
Most of the possible scenario are described in the test directory of the module.
For running the test simply run npm run test
Contributing - Complaining
If you found a bug or think that something is missing, do not hesitate to open an issue or a pull-request