Envelope Encryption with Amazon KMS and Node
- Customer Master Keys (AWS term) (CMKs): Per platform keys eg. {dev|staging|prod}
- Tenant Master Keys (TMKs): Per customer keys eg. {customer1|customer2|customer3}
- Tenant Data Keys (TDKs): Per datasource eq. {column within database|RDS database|S3 Bucket,}
NB: Requires KMS ARN to be the specified environment var CMKID
export CMKID=arn:aws:kms:{yourregion}:{youraccount}:key/{yourkeyId}
npm run demoDemo will show input of plain text this is a secret being enctypyred using the TMK TDK key.
The resultant encrypted envelope values of [cmkId, tmkCipherText, tdkCipherText, dataCipherText, createdAt] can all at this point be serialized and stored into your data store of choice.
- Create AWS credentials
- Create a KMS (CMK) key that you can generate the ciphertext TMK and TDK with. Add the resultant ARN of the key you’d like to use to the CMKID environment variable (either inline to the command or by exporting).
- Ensure AWS IAM policy will allow KMS access from laptop
- Define the AWSREGION environment variable (default is us-west-2)
- Output should look like this - kinda
Plaintext data: this is a secret
Encrypted Envelope:
cmkId:
tmkCipherText:
tdkCipherText:
dataCipherText:
createdAt:
Decrypted Envelope:
cmkId:
dataPlainText: this is a secret
decryptedAt:
npm test