Skip to content
This repository has been archived by the owner on Apr 9, 2024. It is now read-only.
/ crypt-aws-kms Public archive

helper tool to decrypt encrypt data through AWS KMS service.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mycsHQ/crypt-aws-kms

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

70 Commits
cli
cli
 
 
lib
lib
 
 
specs
specs
 
 
.eslintrc.js
.eslintrc.js
 
 
.gitignore
.gitignore
 
 
.npmignore
.npmignore
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config.js
config.js
 
 
package.json
package.json
 
 

Repository files navigation

AWS KMS decrypt / encrypt cli

Build Status npm Code Style semantic-release

A helper tool to decrypt encrypt data through AWS KMS service. Decryption and Encryption can be done through a cli or in the codebase with the KMS class.

Installation

npm install

Usage

General use

The idea is to use the so called Envelope Encryption proposed by AWS KMS. In short the steps are.

  1. Create masterkey in AWS KMS
  2. Generate datakey with masterkey id and store it ENCRYPTED! locally
  3. Decrypt the datakey through KMS and encrypt files locally with decrypted datakey as key
  4. Decrypt the datakey through KMS and decrypt files locally with decrypted datakey as key

Do not store the decrypted datakey but keep it in memory only as long as you need it

Use KMS in code

const { KMS } = require('./lib');
const KeyId = '123-456-789';

const kms = new KMS(KeyId);
// uses global aws credentials
kms.encryptData('foo')
    .then(({ CiphertextBlob }) => {
        // returns a buffer
        console.log(CiphertextBlob.toString('base64'));
    }, err => console.error(err));

kms.decryptData('encryptedBase64Foo')
    .then(({ Plaintext }) => {
        // returns a buffer
        console.log(Plaintext.toString());
    }, err => console.error(err));

// you could always wrap the functions into an async functions to have an synchronous workflow
decryptAsync();

async function decryptAsync() {
  const { CiphertextBlob } = await kms.encryptData('foo');
  const { Plaintext } = await kms.decryptData(CiphertextBlob);
  console.log({ decryptedSecret: Plaintext.toString() });
}

Use CRYPT in code

const { Crypt } = require('./lib');

// you should use a decrypted KMS masterkey as key
const crypt = new Crypt('decryptedMasterKeyValue');

const encryptedFoo = crypt.encrypt('foo');
const decryptedFoo = crypt.decrypt(encryptedFoo);

Use crypt command globally

npm install -g && npm link

Use locally

./cli/crypt.js [options]

Access Help Menus

# global
crypt -h
crypt [encrypt|decrypt|get-datakey|encrypt-local|decrypt-local] -h

# local
./cli/crypt.js -h
./cli/crypt.js [encrypt|decrypt|get-datakey|encrypt-local|decrypt-local] -h

Following args are used to create the AWS.KMS instance in encrypt and decrypt:

{
    -r: 'region',
    -a: 'accessKeyId',
    -s: 'secretAccessKey',
    -t: 'sessionToken'
}

if the accessKeyId, secretAccessKey or sessionToken is omitted the globally stored aws credentials are used

encrypt

crypt encrypt -k 123-456-789 dataToEncrypt ~/fileToEncrypt

crypt -k 123-456-789 -p ~/Desktop dataToEncrypt ~/fileToEncrypt

Additional valid args.

{
    -k: 'KeyId', // required!!
    -p: 'Path' // if results should be stored in binary file - specify path
}

files have to begin with "./", "/" or "~/" the results are displayed as base64 string in console

decrypt

crypt decrypt dataToEncrypt ~/fileToEncrypt

files have to begin with "./", "/" or "~/" data strings have to be base64 encrypted

get-datakey

Generate datakey with given aws masterkey and store it in binary - encrypted file.

crypt get-datakey -k 123-456-789

crypt -k 123-456-789 -p ~/Desktop

Additional valid args.

{
    -k: 'KeyId', // required!!
    -p: 'Path' // if results should be stored in binary file - specify path
}

the results are displayed as strings in console

encrypt-local

Encrypt datakey locally with given aws datakey. It makes a call to kms, decrypts the datakey and encrypts with it the data. (AWS credentials have to be setup and masterkey active)

crypt encrypt-local dataToEncrypt ~/fileToEncrypt -d dataKey

crypt encrypt-local dataToEncrypt ~/fileToEncrypt -d dataKey -p ~/Desktop

Additional valid args.

{
    -d: 'DataKey', // path to encrypted datakey - required!!
    -p: 'Path' // if results should be stored in file - specify path
}

files have to begin with "./", "/" or "~/" the results are displayed as base64 string in console

decrypt-local

Decrypt datakey locally with given aws datakey. It makes a call to kms, decrypts the datakey and encrypts with it the data. (AWS credentials have to be setup and masterkey active)

crypt decrypt-local dataToEncrypt ~/fileToEncrypt -d dataKey

crypt decrypt-local dataToEncrypt ~/fileToEncrypt -d dataKey -p ~/Desktop

Additional valid args.

{
    -d: 'DataKey', // path to encrypted datakey - required!!
    -p: 'Path' // if results should be stored in file - specify path
}

files have to begin with "./", "/" or "~/" the results are displayed as base64 string in console

Requirements

  • This project needs node > 6.
  • Valid aws credentials have to be set up globally or passed as arguments
  • For the tests to work you need to create a kms keyId you have access and use rights to and enter it in ./config.js

License

MIT

© mycs 2015

Maintainer

jroehl

TODO

  • write tests for crypt
  • documentation

Whenever editing the repository

Should you update the readme, use npm script semantic-release to check if a new version has to be set and to publish it to npm.

About

helper tool to decrypt encrypt data through AWS KMS service.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

14 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Mar 21, 2017

Packages

No packages published

Languages