npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

secretkms

v1.13.0

Published

secretkms client for storing secrets

Downloads

37

Maintainers

neo-matias-wengielneo-matias-wengielneo-daniel-brennanneo-daniel-brennanamievishwaamievishwaneoauderesantosneoauderesantosneo-matt-feliceneo-matt-feliceomolaraomolaradennisbartheldennisbarthelneo-rivan-motaneo-rivan-motalucachameckilucachameckiedward.nazarovedward.nazarovstephanie-wang-neostephanie-wang-neoluan.leluan.lear-iesar-iescjnewmancjnewmanneo-michal-kowalneo-michal-kowalneo-youre_penaneo-youre_penamichelepipernimichelepipernikyle-elyk-neokyle-elyk-neoamjad-mahfoud-neoamjad-mahfoud-neovidalrmrzvidalrmrzteena_teena_rnetto46rnetto46kaelanneofinancialkaelanneofinancialbriancruzbriancruziansuiansumaiko.trindademaiko.trindadedarrenpicard25darrenpicard25brayden_sc_neobrayden_sc_neomaxgoomaxgoostschmaltzstschmaltzusernamesebusernameseberic.zaporzan.neoeric.zaporzan.neolucasparreiralucasparreiralewishorwoodlewishorwoodcraigsiemenscraigsiemensdiegobmydiegobmyjoelsimpsonjoelsimpsonjooh-leejooh-leekasrababaeikasrababaeironellgarciaronellgarciapunit.patelpunit.patelneo-elgiz-abbasovneo-elgiz-abbasovhrishikeshkalehrishikeshkaleanna_benemanskaiaanna_benemanskaiahanna.tkachenkohanna.tkachenkou2v22u2v22neo-bclausineo-bclausinikita-syrotenkonikita-syrotenkojcavalcantijcavalcantijohnclendvoyjohnclendvoyneo-peter-spanglerneo-peter-spanglerdemaestrodemaestrodustinn1235dustinn1235daylan.lawdaylan.lawneo-stephenneo-stephenneogibsonneogibsonberakiberakivrochamaaiavrochamaaiad_fenniakd_fenniakadamtranquillaadamtranquillaroman.mnatsakanianroman.mnatsakaniannehasingh1801nehasingh1801lucaslongarinilucaslongarinierozonachierozonachifaddoulfaddouldivanshudivanshunpoltz-neonpoltz-neocaio.andradecaio.andraderishbarrishbardeankimdeankimtimothy.couch.neofinancialtimothy.couch.neofinancialbrentcambrentcammike.himbeault-neomike.himbeault-neostefan.amyottestefan.amyotteneo-travis-friesenneo-travis-friesenherculesjrherculesjrnahom-neonahom-neomatthew.belfordmatthew.belfordjoeljwoodjoeljwoodneo-rodrigoravalneo-rodrigoravalmalcolm-neomalcolm-neoneo-hasanpreetsinghneo-hasanpreetsinghscottkayeneoscottkayeneodhruvangdhruvangmohpormohporneo-baonguyenneo-baonguyenmohamedalhammoudmohamedalhammoudneo-seol-kimneo-seol-kimraul.ribeiroraul.ribeirolavanya.mohanlavanya.mohanmhowitt-neomhowitt-neobenx-neobenx-neoneo-dakota-chattneo-dakota-chattnico-connornico-connorvinicius-barcelosvinicius-barcelosrjberryrjberrynitin.madannitin.madandesmond-maloneydesmond-maloneymaiahneomaiahneolucasjohannsonlucasjohannsonmatheusicaromatheusicaromarcelo.matosmarcelo.matosstburkestburkeneodiegobeltranneodiegobeltranniconeimanniconeimanneo-barry-lineo-barry-lineo-ricardo-gomezneo-ricardo-gomezanhtranneoanhtranneoneo-dione-silvaneo-dione-silvatunde-neotunde-neoneo-miguel-castroneo-miguel-castroneobot1neobot1neo-bryce-brandfordneo-bryce-brandfordgaulfordgaulfordmarvindeleonmarvindeleondanielafekhume-neodanielafekhume-neokennethcolinakennethcolinaneo-paula-grangeironeo-paula-grangeirodas-bossdas-bossrhullyamrhullyamneo-ahmed-seifelnasrneo-ahmed-seifelnasrishmeet.rayatishmeet.rayatmsalamamsalamajadondubyjadondubybiancaballenabiancaballenaneo.eduardoyuidyneo.eduardoyuidyneo-shubham-patelneo-shubham-patelneo-will-parkerneo-will-parkerneo-chris-nobleneo-chris-nobleneo-diego-nunesneo-diego-nunesfelipe.minettofelipe.minettoneo-oleksandr-yanchenkoneo-oleksandr-yanchenkoneo-lior-ben-shaharneo-lior-ben-shaharneo-shruti-goyalneo-shruti-goyalantonio.canabravaantonio.canabravatim-neo2tim-neo2mganzneomganzneoneo-eason-changneo-eason-changneo-zhaoquan-zhangneo-zhaoquan-zhangneo-edimar-cardosoneo-edimar-cardosorajanatneorajanatneoneo-rameez-virjineo-rameez-virjineo-colin-hanlon-dearmanneo-colin-hanlon-dearmanalejandrogarbialejandrogarbimatt-armstrongmatt-armstrongleah-is-offlineleah-is-offlineannakumovaannakumovajimi487jimi487neo-tamika-taylorneo-tamika-taylorsamin_farajiansamin_farajianmahtab.khanmahtab.khanniloofarshsniloofarshsneo-julio-falboneo-julio-falbokrisneokrisneo

Keywords

Readme

SecretKMS

Overview

This is a Javascript/Node.js library that leverages Amazon KMS and Amazon S3 to provide a secure way to encrypt and decrypt secrets (Strings) such that your data encryption keys are stored separately and themselves encrypted by a KMS customer master key.

This is a common requirement for PCI DSS compliance - this approach has been used to pass PCI Audits by payments companies hosting on AWS.

Terminology and Concepts

http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

How it Works

Encryption:

  1. A request is made to S3 to retrieve an encrypted data key.

  2. If the key DOES exist, it is retrieved and decrypted using KMS.

  3. If the key DOES NOT exist, a new encrypted key is requested from KMS and stored in S3.

  4. The data key is used to encrypt the secret locally. The decrypted key is only ever kept in memory for the duration of the operation.

  5. The encrypted data is returned along with the data key name, data key version, and master key name.

Decryption:

  1. A request is made to S3 to retrieve an encrypted data key.

  2. The data key is decrypted using KMS.

  3. The data key is used to decrypt the data locally. The decrypted key is only ever kept in memory for the duration of the operation.

  4. The decrypted secret is returned.

Why It's Safe

  • Keys are stored in a highly reliable location (s3)
  • Keys are stored separately from the encrypted data (s3)
  • Keys are encrypted using a master key (KMS)
  • Keys can be encrypted and decrypted only by KMS

Even if an attacker downloads your data AND your keys they cannot decrypt your data without KMS access

Initialization

Create an instance providing your AWS credentials and config:

const secretkms = require('secretkms')({
    accessKey: 'AKIAIMGERGY46EXAMPLE',
    secretKey: 'aX45RdV0FRSPEKh44FpvCksQV8eT2aj6REXAMPLE',
    masterKey: '9b64aaa7-ce47-4dac-8830-e0da1EXAMPLE',

    region: 'us-east-1',
    bucket: 'application-secretkms',
});

Encrypt

const encryptedData = await secretkms.encrypt('foo is my secret', keyName);

This returns an object:

{
  "data":"uSQfQ1z0RbFbUXL/hOgRTIBlCPuotLvgByzw4BtFnQo=",
  "key":{
    "masterKey":"9b64aaa7-ce47-4dac-8830-e0da1EXAMPLE",
    "name":"MY_DATA_KEY_NAME_EG_USER_UUID",
    "version":"EZcPuxOQ9wyrSn0ROxWOIrOsToBSJ2Zw"
  }
}

Note: You should store this entire object in your database as the "encrypted secret"!!!

Decrypt

const decryptedSecret = await secretkms.decrypt(encryptedData, keyName);

This returns an object:

{
  "secret": "foo is my secret"
}

Building

This client is written with ES 2017 features like async await.

To make it compatible to a wider audience, I have transpiled to a ES 2015 profile with Babel.

If you need to rebuild this, just run yarn install then yarn build.

The transpiled file and source map end up in /dist.

Infrastructure

As an example, a terraform file has been provided that will create the necessary IAM User, S3 bucket(s) and KMS key. To install terraform on a mac, use brew install terraform.

Note: You will need to edit setup.tf and include an Adminsitrator AWS ACCESS KEY and AWS SECRET KEY to allow terraform to construct resources.

To preview the infrastructure:

$ terraform plan

To create some infrastructure

$ terraform apply

The output of terraform will give you three configuration values you will need to use this client:

Outputs:

accessKey = AKIAIAU4UPRNXEXAMPLE
secretKey = 2iSBp4vfZ5Simu5yeOAbeW9X/g5wvGQc-EXAMPLE
kmsCustomerMasterKey = 300054ea-f7ad-46f9-9162-3fd83EXAMPLE