Home  ›  S3 Encryption Client Mulitpart Upload Java Sdk With Kmskey

S3 Encryption Client Mulitpart Upload Java Sdk With Kmskey

Written By Saturday, April 16, 2022 Add Comment Edit

node-s3-encryption-customer Build Status

Node.js implementation of the KMS Envelope Encryption for AWS S3

The Amazon S3 Encryption Customer (http://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html#sse-customer) currently simply exists for Java and Carmine. This library implements KMS envelope encryption (http://docs.aws.amazon.com/kms/latest/developerguide/workflow.html) for Javascript, adding an option to cull the nix algorithm and the S3 objects encoding. It exposes getObject and putObject from the AWS S3 client, with KMS encryption options for customer-side encryption.

Methods

getObject

Functions exactly the same every bit http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#getObject-property, except that information technology volition transparently decrypt the object if a KMS key is nowadays in its Metadata. Additional params are as follows.

EncryptionContext

Same equally the EncryptionContext property hither: http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/KMS.html#generateDataKey-property Must be specified for decryption (i.eastward. getObject) if it was specified during encryption (i.east. putObject).

putObject

Functions exactly the same as http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#putObject-holding, but with a few additional parameters, as follows.

KmsParams

A JSON document matching the params hither: http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/KMS.html#generateDataKey-holding At the very to the lowest degree, KmaParams.KeyId must be divers in order for encryption to happen. Note that, per AWS documentation, either NumberOfBytes or KeySpec is required in addition to KeyId. Also note that if an EncryptionContext is given, it must also exist specified in the phone call to getObject.

CipherAlgorithm

The cipher algorithm to use when encrypting the object. Find the listing by looking at crypto.getCiphers(). Optional, will exist ignored if KmsKeyId is missing.

DecryptedEncoding

The character encoding of the file to be uploaded to S3, to be used when encrypting (and thus decrypting) the object. Optional, will exist ignored if KmsKeyId is missing.

cacheFor

Optionally call this method with a value > 0 in order to persist the object in an in-memory cache. This can exist used to avoid repetitively loading objects from S3 and decrypting via KMS in functions that are oftentimes executed. The argument is the number of milliseconds for which the S3 object should remain in the cache before becoming stale. Keep in mind that this limit will but be met as long as the office remains in retentiveness in Lambda (i.e. does non follow a cold-start of the role). Plain, using a enshroud introduces the take a chance of the in-retentivity version getting out of sync with the object in S3; be sure to residual performance against a reasonable TTL that will let the function to absorb edits to the object in a timely manner.

Methodology

You lot can read most KMS envelope encryption above, simply here's the summary:

To encrypt:

  1. Create a KMS primal (information technology is causeless that you have already done this)
  2. Use the primal from #1 to generate a KMS Data Fundamental
  3. Use the KMS Information Key's Plaintext to encrypt your file
  4. Put the file into S3 with the KMS Data Key's CiphertextBlob in the object'due south Metadata
  5. Also include the cipher algorithm and decrypted encoding in the object's Metadata

To decrypt:

  1. Get the object
  2. Get the CiphertextBlob from the object'due south Metadata
  3. Decrypt the CiphertextBlob using the KMS library (don't demand the original KMS KeyId)
  4. Use the decrypted fundamental plus the cipher algorithm and decrypted encoding (from the Metadata) to decrypt the object content

Since you sometimes demand to manually upload encrypted objects to S3 manually (i.due east. not using this library), at that place is a fustigate script included in the /bin folder that performs the "To encrypt" steps higher up: s3-put-encrypted.

Pattern Decisions

Callbacks

I decided to keep the callback structure in line with the AWS SDK, to most closely match that API - even though I prefer Promises. If you'd similar to utilise this library as Promises, it's upward to you promisify information technology (as would would the AWS SDK).

No Table salt

I may be wrong, but information technology seems like the Coffee SDK for the S3 Encryption Client doesn't apply a common salt. This library matches that determination, mostly because the crypto Nix/Decipher classes don't support a salt. Information technology might be possible to back up a common salt using a different part of the crypto library, simply it would require a major reworking of the flow because the KMS Data Central is base64 merely openssl functions that use a salt require hex.

License

Copyright 2016 Gold Groupe, Inc.

Licensed nether the Apache License, Version two.0: http://world wide web.apache.org/licenses/LICENSE-2.0

dunhamwastoods78.blogspot.com

Source: https://www.npmjs.com/package/node-s3-encryption-client

0 Response to "S3 Encryption Client Mulitpart Upload Java Sdk With Kmskey"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel