Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
crypt-aws-kms
Advanced tools
A helper tool to decrypt encrypt data through AWS KMS service. Decryption and Encryption can be done through a cli or in the codebase with the KMS class.
npm install
The idea is to use the so called Envelope Encryption proposed by AWS KMS. In short the steps are.
Do not store the decrypted datakey but keep it in memory only as long as you need it
const { KMS } = require('./lib');
const KeyId = '123-456-789';
const kms = new KMS(KeyId);
// uses global aws credentials
kms.encryptData('foo')
.then(({ CiphertextBlob }) => {
// returns a buffer
console.log(CiphertextBlob.toString('base64'));
}, err => console.error(err));
kms.decryptData('encryptedBase64Foo')
.then(({ Plaintext }) => {
// returns a buffer
console.log(Plaintext.toString());
}, err => console.error(err));
// you could always wrap the functions into an async functions to have an synchronous workflow
decryptAsync();
async function decryptAsync() {
const { CiphertextBlob } = await kms.encryptData('foo');
const { Plaintext } = await kms.decryptData(CiphertextBlob);
console.log({ decryptedSecret: Plaintext.toString() });
}
const { Crypt } = require('./lib');
// you should use a decrypted KMS masterkey as key
const crypt = new Crypt('decryptedMasterKeyValue');
const encryptedFoo = crypt.encrypt('foo');
const decryptedFoo = crypt.decrypt(encryptedFoo);
crypt
command globallynpm install -g && npm link
./cli/crypt.js [options]
# global
crypt -h
crypt [encrypt|decrypt|get-datakey|encrypt-local|decrypt-local] -h
# local
./cli/crypt.js -h
./cli/crypt.js [encrypt|decrypt|get-datakey|encrypt-local|decrypt-local] -h
Following args are used to create the AWS.KMS instance in encrypt
and decrypt
:
{
-r: 'region',
-a: 'accessKeyId',
-s: 'secretAccessKey',
-t: 'sessionToken'
}
if the accessKeyId, secretAccessKey or sessionToken is omitted the globally stored aws credentials are used
crypt encrypt -k 123-456-789 dataToEncrypt ~/fileToEncrypt
crypt -k 123-456-789 -p ~/Desktop dataToEncrypt ~/fileToEncrypt
Additional valid args.
{
-k: 'KeyId', // required!!
-p: 'Path' // if results should be stored in binary file - specify path
}
files have to begin with "./", "/" or "~/" the results are displayed as base64 string in console
crypt decrypt dataToEncrypt ~/fileToEncrypt
files have to begin with "./", "/" or "~/" data strings have to be base64 encrypted
Generate datakey with given aws masterkey and store it in binary - encrypted file.
crypt get-datakey -k 123-456-789
crypt -k 123-456-789 -p ~/Desktop
Additional valid args.
{
-k: 'KeyId', // required!!
-p: 'Path' // if results should be stored in binary file - specify path
}
the results are displayed as strings in console
Encrypt datakey locally with given aws datakey. It makes a call to kms, decrypts the datakey and encrypts with it the data. (AWS credentials have to be setup and masterkey active)
crypt encrypt-local dataToEncrypt ~/fileToEncrypt -d dataKey
crypt encrypt-local dataToEncrypt ~/fileToEncrypt -d dataKey -p ~/Desktop
Additional valid args.
{
-d: 'DataKey', // path to encrypted datakey - required!!
-p: 'Path' // if results should be stored in file - specify path
}
files have to begin with "./", "/" or "~/" the results are displayed as base64 string in console
Decrypt datakey locally with given aws datakey. It makes a call to kms, decrypts the datakey and encrypts with it the data. (AWS credentials have to be setup and masterkey active)
crypt decrypt-local dataToEncrypt ~/fileToEncrypt -d dataKey
crypt decrypt-local dataToEncrypt ~/fileToEncrypt -d dataKey -p ~/Desktop
Additional valid args.
{
-d: 'DataKey', // path to encrypted datakey - required!!
-p: 'Path' // if results should be stored in file - specify path
}
files have to begin with "./", "/" or "~/" the results are displayed as base64 string in console
aws
credentials have to be set up globally or passed as arguments./config.js
MIT
© mycs 2015
Should you update the readme, use npm script semantic-release
to check if a new version has to be set and to publish it to npm.
FAQs
Helper library for use of aws-kms service
We found that crypt-aws-kms demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.