@google-cloud/kms
Advanced tools
Google Cloud Key Management Service (KMS) API client for Node.js
@google-cloud/kms is a Node.js client library for Google Cloud Key Management Service (KMS). It allows you to manage cryptographic keys for your cloud services the same way you do on-premises. You can create, use, rotate, and destroy cryptographic keys, and it supports both symmetric and asymmetric keys.
Create a Key Ring
This code sample demonstrates how to create a new key ring in Google Cloud KMS. A key ring is a grouping of keys that allows you to manage them together.
const { KeyManagementServiceClient } = require('@google-cloud/kms');
const client = new KeyManagementServiceClient();
async function createKeyRing() {
const locationId = 'global';
const keyRingId = 'my-key-ring';
const parent = client.locationPath('my-project', locationId);
const [keyRing] = await client.createKeyRing({
parent: parent,
keyRingId: keyRingId,
keyRing: {}
});
console.log(`Created key ring: ${keyRing.name}`);
}
createKeyRing();Create a Crypto Key
This code sample demonstrates how to create a new cryptographic key within a key ring. The key can be used for encryption and decryption.
const { KeyManagementServiceClient } = require('@google-cloud/kms');
const client = new KeyManagementServiceClient();
async function createCryptoKey() {
const locationId = 'global';
const keyRingId = 'my-key-ring';
const cryptoKeyId = 'my-crypto-key';
const parent = client.keyRingPath('my-project', locationId, keyRingId);
const [cryptoKey] = await client.createCryptoKey({
parent: parent,
cryptoKeyId: cryptoKeyId,
cryptoKey: {
purpose: 'ENCRYPT_DECRYPT',
versionTemplate: {
algorithm: 'GOOGLE_SYMMETRIC_ENCRYPTION'
}
}
});
console.log(`Created crypto key: ${cryptoKey.name}`);
}
createCryptoKey();Encrypt Data
This code sample demonstrates how to encrypt data using a cryptographic key. The plaintext data is encrypted and the ciphertext is returned.
const { KeyManagementServiceClient } = require('@google-cloud/kms');
const client = new KeyManagementServiceClient();
async function encryptData() {
const locationId = 'global';
const keyRingId = 'my-key-ring';
const cryptoKeyId = 'my-crypto-key';
const name = client.cryptoKeyPath('my-project', locationId, keyRingId, cryptoKeyId);
const plaintext = Buffer.from('my sensitive data').toString('base64');
const [result] = await client.encrypt({
name: name,
plaintext: plaintext
});
console.log(`Encrypted data: ${result.ciphertext}`);
}
encryptData();Decrypt Data
This code sample demonstrates how to decrypt data that was previously encrypted using a cryptographic key. The ciphertext is decrypted and the original plaintext is returned.
const { KeyManagementServiceClient } = require('@google-cloud/kms');
const client = new KeyManagementServiceClient();
async function decryptData() {
const locationId = 'global';
const keyRingId = 'my-key-ring';
const cryptoKeyId = 'my-crypto-key';
const name = client.cryptoKeyPath('my-project', locationId, keyRingId, cryptoKeyId);
const ciphertext = '...'; // The encrypted data
const [result] = await client.decrypt({
name: name,
ciphertext: ciphertext
});
console.log(`Decrypted data: ${Buffer.from(result.plaintext, 'base64').toString()}`);
}
decryptData();The aws-sdk package for Node.js provides a comprehensive set of tools for interacting with AWS services, including AWS Key Management Service (KMS). It allows you to create, manage, and use cryptographic keys in a similar way to @google-cloud/kms, but within the AWS ecosystem.
The azure-keyvault-keys package for Node.js provides functionality for managing cryptographic keys in Azure Key Vault. It offers similar capabilities to @google-cloud/kms, such as creating, using, and managing keys, but is designed for use with Microsoft Azure services.
The node-jose package is a JavaScript library for JSON Object Signing and Encryption (JOSE). It provides tools for working with JSON Web Tokens (JWT), JSON Web Encryption (JWE), and JSON Web Keys (JWK). While it is not a cloud-specific service, it offers similar cryptographic functionalities for key management and data encryption/decryption.
Google Cloud Key Management Service (KMS) API client for Node.js
A comprehensive list of changes in each version may be found in the CHANGELOG.
Read more about the client libraries for Cloud APIs, including the older Google APIs Client Libraries, in Client Libraries Explained.
Table of contents:
npm install @google-cloud/kms
//
// TODO(developer): Uncomment these variables before running the sample.
//
// const projectId = 'my-project';
// const locationId = 'us-east1';
// Imports the Cloud KMS library
const {KeyManagementServiceClient} = require('@google-cloud/kms');
// Instantiates a client
const client = new KeyManagementServiceClient();
// Build the location name
const locationName = client.locationPath(projectId, locationId);
async function listKeyRings() {
const [keyRings] = await client.listKeyRings({
parent: locationName,
});
for (const keyRing of keyRings) {
console.log(keyRing.name);
}
return keyRings;
}
return listKeyRings();
Samples are in the samples/ directory. Each sample's README.md has instructions for running its sample.
| Sample | Source Code | Try it |
|---|---|---|
| Autokey.create_key_handle | source code |  |
| Autokey.get_key_handle | source code | |
| Autokey.list_key_handles | source code | |
| Autokey_admin.get_autokey_config | source code | |
| Autokey_admin.show_effective_autokey_config | source code | |
| Autokey_admin.update_autokey_config | source code | |
| Ekm_service.create_ekm_connection | source code | |
| Ekm_service.get_ekm_config | source code | |
| Ekm_service.get_ekm_connection | source code | |
| Ekm_service.list_ekm_connections | source code | |
| Ekm_service.update_ekm_config | source code | |
| Ekm_service.update_ekm_connection | source code | |
| Ekm_service.verify_connectivity | source code | |
| Key_management_service.asymmetric_decrypt | source code | |
| Key_management_service.asymmetric_sign | source code | |
| Key_management_service.create_crypto_key | source code | |
| Key_management_service.create_crypto_key_version | source code | |
| Key_management_service.create_import_job | source code | |
| Key_management_service.create_key_ring | source code | |
| Key_management_service.decrypt | source code | |
| Key_management_service.destroy_crypto_key_version | source code | |
| Key_management_service.encrypt | source code | |
| Key_management_service.generate_random_bytes | source code | |
| Key_management_service.get_crypto_key | source code | |
| Key_management_service.get_crypto_key_version | source code | |
| Key_management_service.get_import_job | source code | |
| Key_management_service.get_key_ring | source code | |
| Key_management_service.get_public_key | source code | |
| Key_management_service.import_crypto_key_version | source code | |
| Key_management_service.list_crypto_key_versions | source code | |
| Key_management_service.list_crypto_keys | source code | |
| Key_management_service.list_import_jobs | source code | |
| Key_management_service.list_key_rings | source code | |
| Key_management_service.mac_sign | source code | |
| Key_management_service.mac_verify | source code | |
| Key_management_service.raw_decrypt | source code | |
| Key_management_service.raw_encrypt | source code | |
| Key_management_service.restore_crypto_key_version | source code | |
| Key_management_service.update_crypto_key | source code | |
| Key_management_service.update_crypto_key_primary_version | source code | |
| Key_management_service.update_crypto_key_version | source code | |
| Quickstart | source code | |
The Google Cloud Key Management Service Node.js Client API Reference documentation also contains samples.
Our client libraries follow the Node.js release schedule. Libraries are compatible with all current active and maintenance versions of Node.js. If you are using an end-of-life version of Node.js, we recommend that you update as soon as possible to an actively supported LTS version.
Google's client libraries support legacy versions of Node.js runtimes on a best-efforts basis with the following warnings:
Client libraries targeting some end-of-life versions of Node.js are available, and
can be installed through npm dist-tags.
The dist-tags follow the naming convention legacy-(version).
For example, npm install @google-cloud/kms@legacy-8 installs client libraries
for versions compatible with Node.js 8.
This library follows Semantic Versioning.
This library is considered to be stable. The code surface will not change in backwards-incompatible ways unless absolutely necessary (e.g. because of critical security issues) or with an extensive deprecation period. Issues and requests against stable libraries are addressed with the highest priority.
More Information: Google Cloud Platform Launch Stages
Contributions welcome! See the Contributing Guide.
Please note that this README.md, the samples/README.md,
and a variety of configuration files in this repository (including .nycrc and tsconfig.json)
are generated from a central template. To edit one of these files, make an edit
to its templates in
directory.
Apache Version 2.0
See LICENSE
FAQs
Google Cloud Key Management Service (KMS) API client for Node.js
The npm package @google-cloud/kms receives a total of 82,610 weekly downloads. As such, @google-cloud/kms popularity was classified as popular.
We found that @google-cloud/kms demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.