How to use the @aws-crypto/client-node.KmsKeyringNode function in @aws-crypto/client-node
To help you get started, we’ve selected a few @aws-crypto/client-node examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
aws / aws-encryption-sdk-javascript / modules / example-node / src / kms_regional_discovery.ts View on Github 
export async function kmsRegionalDiscoveryExcludeTest (ciphertext: string|Buffer) {
const discovery = true
// This provider will decrypt for keys in any region except us-east-1.
const clientProvider = excludeRegions(['us-east-1'], getKmsClient)
const keyring = new KmsKeyringNode({ clientProvider, discovery })
const cleartext = await decrypt(keyring, ciphertext)
return { ciphertext, cleartext }
}/* A KMS CMK is required to generate the data key.
* You need kms:GenerateDataKey permission on the CMK in generatorKeyId.
*/
const generatorKeyId = 'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'
/* Adding alternate KMS keys that can decrypt.
* Access to kms:Encrypt is required for every CMK in keyIds.
* You might list several keys in different AWS Regions.
* This allows you to decrypt the data in any of the represented Regions.
* In this example, I am using the same CMK.
* This is *only* to demonstrate how the CMK ARNs are configured.
*/
const keyIds = ['arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f']
/* The KMS keyring must be configured with the desired CMKs */
const kmsKeyring = new KmsKeyringNode({ generatorKeyId, keyIds })
/* You need to specify a name
* and a namespace for raw encryption key providers.
* The name and namespace that you use in the decryption keyring *must* be an exact,
* *case-sensitive* match for the name and namespace in the encryption keyring.
*/
const keyName = 'aes-name'
const keyNamespace = 'aes-namespace'
/* The wrapping suite defines the AES-GCM algorithm suite to use. */
const wrappingSuite = RawAesWrappingSuiteIdentifier.AES256_GCM_IV12_TAG16_NO_PADDING
// Get your plaintext master key from wherever you store it.
const unencryptedMasterKey = randomBytes(32)
/* Configure the Raw AES Keyring. */
const aesKeyring = new RawAesKeyringNode({ keyName, keyNamespace, unencryptedMasterKey, wrappingSuite })/* A KMS CMK is required to generate the data key.
* You need kms:GenerateDataKey permission on the CMK in generatorKeyId.
*/
const generatorKeyId = 'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'
/* Adding alternate KMS keys that can decrypt.
* Access to kms:Encrypt is required for every CMK in keyIds.
* You might list several keys in different AWS Regions.
* This allows you to decrypt the data in any of the represented Regions.
* In this example, I am using the same CMK.
* This is *only* to demonstrate how the CMK ARNs are configured.
*/
const keyIds = ['arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f']
/* The KMS keyring must be configured with the desired CMKs */
const keyring = new KmsKeyringNode({ generatorKeyId, keyIds })
/* Encryption context is a *very* powerful tool for controlling and managing access.
* It is ***not*** secret!
* Encrypted data is opaque.
* You can use an encryption context to assert things about the encrypted data.
* Just because you can decrypt something does not mean it is what you expect.
* For example, if you are are only expecting data from 'us-west-2',
* the origin can identify a malicious actor.
* See: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
*/
const context = {
stage: 'demo',
purpose: 'simple demonstration app',
origin: 'us-west-2'
}export async function kmsStreamTest (filename: string) {
/* A KMS CMK is required to generate the data key.
* You need kms:GenerateDataKey permission on the CMK in generatorKeyId.
*/
const generatorKeyId = 'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'
/* The KMS keyring must be configured with the desired CMKs */
const keyring = new KmsKeyringNode({ generatorKeyId })
/* Encryption context is a *very* powerful tool for controlling and managing access.
* It is ***not*** secret!
* Encrypted data is opaque.
* You can use an encryption context to assert things about the encrypted data.
* Just because you can decrypt something does not mean it is what you expect.
* For example, if you are are only expecting data from 'us-west-2',
* the origin can identify a malicious actor.
* See: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
*/
const context = {
stage: 'demo',
purpose: 'simple demonstration app',
origin: 'us-west-2'
}export async function kmsRegionalDiscoveryLimitTest (ciphertext: string|Buffer) {
const discovery = true
// This provider will *only* decrypt for keys in the us-east-1 region.
const clientProvider = limitRegions(['us-east-1'], getKmsClient)
const keyring = new KmsKeyringNode({ clientProvider, discovery })
const cleartext = await decrypt(keyring, ciphertext)
return { ciphertext, cleartext }
}export function kmsKeyring (_keyInfo: KmsKeyInfo, key: KMSKey) {
const generatorKeyId = key['key-id']
return new KmsKeyringNode({ generatorKeyId })
}@aws-crypto/client-node
Apache-2.0
Latest version published 25 days agoPackage Health Score
68 / 100Popular @aws-crypto/client-node functions
- @aws-crypto/client-node.decrypt
- @aws-crypto/client-node.decryptStream
- @aws-crypto/client-node.encrypt
- @aws-crypto/client-node.encryptStream
- @aws-crypto/client-node.excludeRegions
- @aws-crypto/client-node.KmsKeyringNode
- @aws-crypto/client-node.limitRegions
- @aws-crypto/client-node.MultiKeyringNode
- @aws-crypto/client-node.needs
- @aws-crypto/client-node.RawAesKeyringNode
- @aws-crypto/client-node.RawAesWrappingSuiteIdentifier.AES128_GCM_IV12_TAG16_NO_PADDING
- @aws-crypto/client-node.RawAesWrappingSuiteIdentifier.AES192_GCM_IV12_TAG16_NO_PADDING
- @aws-crypto/client-node.RawAesWrappingSuiteIdentifier.AES256_GCM_IV12_TAG16_NO_PADDING
- @aws-crypto/client-node.RawRsaKeyringNode