crypt-aws-kms
Advanced tools
A helper tool to decrypt encrypt data through AWS KMS service. Decryption and Encryption can be done through a cli or in the codebase with the KMS class.
npm install
The idea is to use the so called Envelope Encryption proposed by AWS KMS. In short the steps are.
Do not store the decrypted datakey but keep it in memory only as long as you need it
const { KMS } = require('./lib');
const KeyId = '123-456-789';
const kms = new KMS(KeyId);
// uses global aws credentials
kms.encryptData('foo')
.then(({ CiphertextBlob }) => {
// returns a buffer
console.log(CiphertextBlob.toString('base64'));
}, err => console.error(err));
kms.decryptData('encryptedBase64Foo')
.then(({ Plaintext }) => {
// returns a buffer
console.log(Plaintext.toString());
}, err => console.error(err));
// you could always wrap the functions into an async functions to have an synchronous workflow
decryptAsync();
async function decryptAsync() {
const { CiphertextBlob } = await kms.encryptData('foo');
const { Plaintext } = await kms.decryptData(CiphertextBlob);
console.log({ decryptedSecret: Plaintext.toString() });
}
const { Crypt } = require('./lib');
// you should use a decrypted KMS masterkey as key
const crypt = new Crypt('decryptedMasterKeyValue');
const encryptedFoo = crypt.encrypt('foo');
const decryptedFoo = crypt.decrypt(encryptedFoo);
crypt command globallynpm install -g && npm link
./cli/crypt.js [options]
# global
crypt -h
crypt [encrypt|decrypt|get-datakey|encrypt-local|decrypt-local] -h
# local
./cli/crypt.js -h
./cli/crypt.js [encrypt|decrypt|get-datakey|encrypt-local|decrypt-local] -h
Following args are used to create the AWS.KMS instance in encrypt and decrypt:
{
-r: 'region',
-a: 'accessKeyId',
-s: 'secretAccessKey',
-t: 'sessionToken'
}
if the accessKeyId, secretAccessKey or sessionToken is omitted the globally stored aws credentials are used
crypt encrypt -k 123-456-789 dataToEncrypt ~/fileToEncrypt
crypt -k 123-456-789 -p ~/Desktop dataToEncrypt ~/fileToEncrypt
Additional valid args.
{
-k: 'KeyId', // required!!
-p: 'Path' // if results should be stored in binary file - specify path
}
files have to begin with "./", "/" or "~/" the results are displayed as base64 string in console
crypt decrypt dataToEncrypt ~/fileToEncrypt
files have to begin with "./", "/" or "~/" data strings have to be base64 encrypted
Generate datakey with given aws masterkey and store it in binary - encrypted file.
crypt get-datakey -k 123-456-789
crypt -k 123-456-789 -p ~/Desktop
Additional valid args.
{
-k: 'KeyId', // required!!
-p: 'Path' // if results should be stored in binary file - specify path
}
the results are displayed as strings in console
Encrypt datakey locally with given aws datakey. It makes a call to kms, decrypts the datakey and encrypts with it the data. (AWS credentials have to be setup and masterkey active)
crypt encrypt-local dataToEncrypt ~/fileToEncrypt -d dataKey
crypt encrypt-local dataToEncrypt ~/fileToEncrypt -d dataKey -p ~/Desktop
Additional valid args.
{
-d: 'DataKey', // path to encrypted datakey - required!!
-p: 'Path' // if results should be stored in file - specify path
}
files have to begin with "./", "/" or "~/" the results are displayed as base64 string in console
Decrypt datakey locally with given aws datakey. It makes a call to kms, decrypts the datakey and encrypts with it the data. (AWS credentials have to be setup and masterkey active)
crypt decrypt-local dataToEncrypt ~/fileToEncrypt -d dataKey
crypt decrypt-local dataToEncrypt ~/fileToEncrypt -d dataKey -p ~/Desktop
Additional valid args.
{
-d: 'DataKey', // path to encrypted datakey - required!!
-p: 'Path' // if results should be stored in file - specify path
}
files have to begin with "./", "/" or "~/" the results are displayed as base64 string in console
aws credentials have to be set up globally or passed as arguments./config.jsMIT
© mycs 2015
Should you update the readme, use npm script semantic-release to check if a new version has to be set and to publish it to npm.
FAQs
Helper library for use of aws-kms service
The npm package crypt-aws-kms receives a total of 1 weekly downloads. As such, crypt-aws-kms popularity was classified as not popular.
We found that crypt-aws-kms demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Deno 2.2 enhances Node.js compatibility, improves dependency management, adds OpenTelemetry support, and expands linting and task automation for developers.
Security News
React's CRA deprecation announcement sparked community criticism over framework recommendations, leading to quick updates acknowledging build tools like Vite as valid alternatives.
Security News
Ransomware payment rates hit an all-time low in 2024 as law enforcement crackdowns, stronger defenses, and shifting policies make attacks riskier and less profitable.