AWS Encryption SDK for JavaScript client for the Browser
@aws-crypto/client-browser
The client-browser module includes all of the modules you need to use the AWS Encryption SDK for the JavaScript web browser.
- decrypt-browser
- encrypt-browser
- kms-keyring-browser
- material-management-browser
- caching-materials-manager-browser
- raw-aes-keyring-browser
- raw-rsa-keyring-browser
- web-crypto-backend
For code examples that show you how to these modules to create keyrings and encrypt and decrypt data, install the example-browser module.
install
To install this module, use the npm package manager. For help with installation, see https://www.npmjs.com/get-npm.
npm install @aws-crypto/client-browseruse
For detailed code examples that show you how to these modules to create keyrings and encrypt and decrypt data, install the example-browser module.
/* Start by constructing a keyring. We'll create a KMS keyring.
* Specify an AWS Key Management Service (AWS KMS) customer master key (CMK) to be the
* generator key in the keyring. This CMK generates a data key and encrypts it.
* To use the keyring to encrypt data, you need kms:GenerateDataKey permission
* on this CMK. To decrypt, you need kms:Decrypt permission.
*/
const generatorKeyId = 'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt'
/* You can specify additional CMKs for the keyring. The data key that the generator key
* creates is also encrypted by the additional CMKs you specify. To encrypt data,
* you need kms:Encrypt permission on this CMK. To decrypt, you need kms:Decrypt permission.
*/
const keyIds = ['arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f']
/* Create a KMS client provider with your AWS credentials */
const clientProvider = getClient(KMS, {
credentials: {
accessKeyId,
secretAccessKey
}
})
/* Create the KMS keyring */
const keyring = new KmsKeyringBrowser({ clientProvider, generatorKeyId, keyIds })
/* Set an encryption context For more information:
* https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context
*/
const context = {
stage: 'demo',
purpose: 'simple demonstration app',
origin: 'us-west-2'
}
/* Create a string to encrypt */
const plainText = new Uint8Array([1, 2, 3, 4, 5])
/* Encrypt the string using the keyring and the encryption context
* the Encryption SDK returns an "encrypted message" (`result`) that includes the ciphertext,
* the encryption context, and the encrypted data keys.
*/
const { result } = await encrypt(keyring, plainText, { encryptionContext: context })
/* Decrypt the result using the same keyring */
const { plaintext, messageHeader } = await decrypt(keyring, result)
/* Get the encryption context */
const { encryptionContext } = messageHeader
/* Verify that all values in the original encryption context are in the
* current one. (The Encryption SDK adds extra values for signing.)
*/
Object
.entries(context)
.forEach(([key, value]) => {
if (encryptionContext[key] !== value) throw new Error('Encryption Context does not match expected values')
})
/* If the encryption context is verified, log the plaintext. */
document.write('</br>Decrypted:' + plaintext)
console.log(plaintext)test
npm testCompatibility Considerations
WebCrypto availability
The WebCrypto API is not available on all browsers. A fallback can be configured. An example of a fallback library is: MSR Crypto
import { configureFallback } from '@aws-crypto/client-browser'
configureFallback(msrCrypto)For details on configureFallback see: @aws-crypto/web-crypto-backend
Zero Byte AES-GCM operations
Modern versions of Safari do not support AES-GCM on zero bytes. The AWS Encryption SDK needs this to operate. To fix this, configure a fallback library exactly as above. The AWS Encryption SDK will only use the fallback for zero byte operations.
RSA Options
The WebCrypto API does not support PKCS1v15 RSA key wrapping.
192 Bit Keys
Browsers do not support key lengths of 192 bits.
license
This SDK is distributed under the Apache License, Version 2.0, see LICENSE.txt and NOTICE.txt for more information.