Encrypts and decrypts parts of your objects with KMS
yarn add @springworks/strongboxnew EncryptedString(base64_encoded_payload: string, region: string = 'eu-west-1')
new EncryptedBuffer(base64_encoded_payload: string, region: string = 'eu-west-1')
KMS-backed encryption. Region must match the region origin of the key used.
new SecretString(secret_key: string)
new SecretBuffer(secret_key: string)
Backed by Secrets Manager. Key needs to match whatever key used when adding it to Secrets Manager. It will fetch secret based of the region defined in the AWS_REGION env variable.
new StringTemplateWithEncryptedReplacements(template: string, replacements: {{string, Value<string>}}
Allows for string templating with encrypted replacements, backed by either KMS or Secrets Manager. Placeholders are marked using {{}}, e.g. {{secret_value}}.
new PlaintextString(plaintext: string)
new PlaintextBuffer(plaintext: Buffer)
Use for testing only. This is just an implementation that follows the same pattern as the other ones, for cases where you don't care about secrecy or want to depend on AWS infrastructure.
const encrypted = new EncryptedString(
'AQICAHjg0O39bvgnA1YWd4LvG+dcJh85OCHdt6SpzvcEupvagwGgPy1gWrdq2Fd34PpX0AOQAAAAaDBmBgkqhkiG9w0BBwagWTBXAgEAMFIGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMbDDcyBW03WWIxlNkAgEQgCXtyqbMbQZDoH9CPgEdHUwJpbOAx2a5qgHUWfWvp87EjfE8U3b0',
);
const decrypted = await encrypted.decrypt();const encrypted = new StringTemplateWithEncryptedReplacements('{{secret_a}}:{{secret_b}}@something.com', {
secret_a: new EncryptedString('KMS encrypted string'),
secret_b: new SecretString('Secrets Manager key'),
});
const decrypted = await encrypted.decrypt();