envelope-encryptor

Envelope encryption with configurable KEK (Key Encryption Key) provider.

Installation

``sh npm install @autotelic/envelope-encryptor`

`Usage`

`$3`

Using AWS KMS

`js import { createEnvelopeEncryptor, awsKms } from '@autotelic/envelope-encryptor'

const { AWS_REGION, KMS_KEY_ID, KMS_ACCESS_KEY_ID, KMS_SECRET_ACCESS_KEY } = process.env

const keyService = awsKms(KMS_KEY_ID, { region: AWS_REGION, credentials: { accessKeyId: KMS_ACCESS_KEY_ID, secretAccessKey: KMS_SECRET_ACCESS_KEY } })

const encryptor = createEnvelopeEncryptor(keyService)

const { encrypt, decrypt } = encryptor

const { ciphertext, key, salt } = await encrypt('plaintext')

const plaintext = await decrypt({ ciphertext: ciphertext.toString(), key, salt })`

`$3`

If your KEK will be e.g. stored in a secrets manager you can pass it as a base64 encoded string. The key length must be 32 bytes, you can generate a suitable one like this:crypto.randomBytes(32).toString('base64')

`js import { createEnvelopeEncryptor, kekService } from '@autotelic/envelope-encryptor'

const keyService = kekService(process.env.KEY_ENCRYPTION_KEY)

const { encrypt, decrypt } = createEnvelopeEncryptor(keyService)

const { ciphertext, key, salt } = await encrypt('plaintext')

const plaintext = await decrypt({ ciphertext: ciphertext.toString(), key, salt })`

`In development and testing`

If you don't really need to use an actual KEK, e.g. in development or for testing, but you do need to generate DEKs (Data Encryption Key) to work with, there is a dummy KMS service. The "encrypted" key is just a base64 representation of a random buffer. This should definitely not be used in production!

`js import { createEnvelopeEncryptor, dummyKms } from '@autotelic/envelope-encryptor'

const keyService = dummyKms()

const { encrypt, decrypt } = createEnvelopeEncryptor(keyService)

const { ciphertext, key, salt } = await encrypt('plaintext')

const plaintext = await decrypt({ ciphertext: ciphertext.toString(), key, salt })`

`Custom Key Service`

You can implement a custom key service to pass tocreateEnvelopeEncryptor. It should be an object that provides two async functions,getDataKey and decryptDataKey.

getDataKeyaccepts no arguments and should return a an object containing the encrypted data encryption key (which has been encrypted by the KEK), and the plaintext data encryption key.

decryptDataKey` accepts an encrypted data key and should
return the plaintext data encryption key.

See the key service implementations in this module for examples.

envelope-encryptor

Envelope encryption with configurable KEK (Key Encryption Key) provider.

Installation

``sh npm install @autotelic/envelope-encryptor`

`Usage`

`$3`

Using AWS KMS

`js import { createEnvelopeEncryptor, awsKms } from '@autotelic/envelope-encryptor'

const { AWS_REGION, KMS_KEY_ID, KMS_ACCESS_KEY_ID, KMS_SECRET_ACCESS_KEY } = process.env

const keyService = awsKms(KMS_KEY_ID, { region: AWS_REGION, credentials: { accessKeyId: KMS_ACCESS_KEY_ID, secretAccessKey: KMS_SECRET_ACCESS_KEY } })

const encryptor = createEnvelopeEncryptor(keyService)

const { encrypt, decrypt } = encryptor

const { ciphertext, key, salt } = await encrypt('plaintext')

const plaintext = await decrypt({ ciphertext: ciphertext.toString(), key, salt })`

`$3`

`js import { createEnvelopeEncryptor, kekService } from '@autotelic/envelope-encryptor'

const keyService = kekService(process.env.KEY_ENCRYPTION_KEY)

const { encrypt, decrypt } = createEnvelopeEncryptor(keyService)

const { ciphertext, key, salt } = await encrypt('plaintext')

const plaintext = await decrypt({ ciphertext: ciphertext.toString(), key, salt })`

`In development and testing`

`js import { createEnvelopeEncryptor, dummyKms } from '@autotelic/envelope-encryptor'

const keyService = dummyKms()

const { encrypt, decrypt } = createEnvelopeEncryptor(keyService)

const { ciphertext, key, salt } = await encrypt('plaintext')

const plaintext = await decrypt({ ciphertext: ciphertext.toString(), key, salt })`

`Custom Key Service`

You can implement a custom key service to pass tocreateEnvelopeEncryptor. It should be an object that provides two async functions,getDataKey and decryptDataKey.

getDataKeyaccepts no arguments and should return a an object containing the encrypted data encryption key (which has been encrypted by the KEK), and the plaintext data encryption key.

decryptDataKey` accepts an encrypted data key and should
return the plaintext data encryption key.

See the key service implementations in this module for examples.