
/* Start by constructing a keyring. We'll create a KMS keyring.
 * Specify an AWS Key Management Service (AWS KMS) customer master key (CMK) to be the
 * generator key in the keyring. This CMK generates a data key and encrypts it. 
 * To use the keyring to encrypt data, you need kms:GenerateDataKey permission 
 * on this CMK. To decrypt, you need kms:Decrypt permission. 
 */
const generatorKeyId = 'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'

/* You can specify additional CMKs for the keyring. The data key that the generator key
 * creates is also encrypted by the additional CMKs you specify. To encrypt data, 
 *  you need kms:Encrypt permission on this CMK. To decrypt, you need kms:Decrypt permission.
 */ 
const keyIds = ['arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f']

/* Create a KMS client provider with your AWS credentials */
const clientProvider = getClient(KMS, {
  credentials: {
    accessKeyId,
    secretAccessKey
  }
})

/* Create the KMS keyring */
const keyring = new KmsKeyringBrowser({ clientProvider, generatorKeyId, keyIds })

/* Set an encryption context For more information: 
 * https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
 */
const context = {
    stage: 'demo',
    purpose: 'simple demonstration app',
    origin: 'us-west-2'
  }
 
/* Create a string to encrypt */
const plainText = new Uint8Array([1, 2, 3, 4, 5])

/* Encrypt the string using the keyring and the encryption context 
 * the Encryption SDK returns an "encrypted message" (`result`) that includes the ciphertext, 
 * the encryption context, and the encrypted data keys.
 */ 
const { result } = await encrypt(keyring, plainText, { encryptionContext: context })

/* Decrypt the result using the same keyring */
const { plaintext, messageHeader } = await decrypt(keyring, result)

/* Get the encryption context */
const { encryptionContext } = messageHeader

/* Verify that all values in the original encryption context are in the 
 * current one. (The Encryption SDK adds extra values for signing.) 
 */
Object
  .entries(context)
  .forEach(([key, value]) => {
    if (encryptionContext[key] !== value) throw new Error('Encryption Context does not match expected values')
    })

/* If the encryption context is verified, log the plaintext. */
document.write('</br>Decrypted:' + plaintext)
console.log(plaintext)

test

npm test

Compatibility Considerations

WebCrypto availability

The WebCrypto API is not available on all browsers. A fallback can be configured. An example of a fallback library is: MSR Crypto

import { configureFallback } from '@aws-crypto/client-browser'
configureFallback(msrCrypto)

For details on configureFallback see: @aws-crypto/web-crypto-backend

Zero Byte AES-GCM operations

Modern versions of Safari do not support AES-GCM on zero bytes. The AWS Encryption SDK needs this to operate. To fix this, configure a fallback library exactly as above. The AWS Encryption SDK will only use the fallback for zero byte operations.

RSA Options

The WebCrypto API does not support PKCS1v15 RSA key wrapping.

192 Bit Keys

Browsers do not support key lengths of 192 bits.

license

This SDK is distributed under the Apache License, Version 2.0, see LICENSE.txt and NOTICE.txt for more information.

Keywords

FAQs

What is @aws-crypto/client-browser?

Is @aws-crypto/client-browser well maintained?

Package last updated on 30 Jul 2024

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install