How to use the @aws-crypto/client-node.encryptStream function in @aws-crypto/client-node

To help you get started, we’ve selected a few @aws-crypto/client-node examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github aws / aws-encryption-sdk-javascript / modules / example-node / src / kms_stream.ts View on Github external
* Encrypted data is opaque.
   * You can use an encryption context to assert things about the encrypted data.
   * Just because you can decrypt something does not mean it is what you expect.
   * For example, if you are are only expecting data from 'us-west-2',
   * the origin can identify a malicious actor.
   * See: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
   */
  const context = {
    stage: 'demo',
    purpose: 'simple demonstration app',
    origin: 'us-west-2'
  }

  /* Create a simple pipeline to encrypt the package.json for this project. */
  const stream = createReadStream(filename)
    .pipe(encryptStream(keyring, { encryptionContext: context }))
    .pipe(decryptStream(new KmsKeyringNode({ discovery: true })))
    .on('MessageHeader', ({ encryptionContext }: MessageHeader) => {
      /* Verify the encryption context.
      * Depending on the Algorithm Suite, the `encryptionContext` _may_ contain additional values.
      * In Signing Algorithm Suites the public verification key is serialized into the `encryptionContext`.
      * Because the encryption context might contain additional key-value pairs,
      * do not add a test that requires that all key-value pairs match.
      * Instead, verify that the key-value pairs you expect match.
      */
      Object
        .entries(context)
        .forEach(([key, value]) => {
          if (encryptionContext[key] !== value) throw new Error('Encryption Context does not match expected values')
        })
    })