kms-json
Node.JS module for encrypting and decrypting JSON objects using AWS Key Management Service (KMS) customer master keys.
A CLI wrapper is also available.
Usage
-
Install the package:
npm install kms-json
-
Require and instantiate
kms-json
:const KmsJson = ;const kmsJson =awsKmsSettings:accessKeyId: 'AKIAIOSFODNN7EXAMPLE'secretAccessKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'region: 'us-east-1'keyId: 'arn:aws:kms:us-east-1:123456:key/a7c08fe1-b767-4883-8c94-85726';
Supported options:
Name | Type | Description |
---|---|---|
awsKmsSettings | Object | Settings object passed into the AWS.KMS constructor as defined in AWS Javascript SDK. Can be used to specify credentials, region, API version, etc. Default: {} |
keyId | string | Cutomer master key's Amazon Resource Name (ARN) or unique key id (See AWS Javascript SDK, KeyId ). Required |
encoding | string | Character encoding to represent the encrypted string. Default: 'base64' See Node.JS Buffer API |
- Encrypt a JSON object:
const encrypted = kmsJson;console;// outputs a string like "AQECAHgNzJL58IXknWSXEuLX+0y9U4qC...rilpa8RMxzFV1"// depending on the key, payload size, and encoding
- Decrypt an encrypted JSON object:
const decrypted = kmsJson;console;// outputs { fullName: 'John Connor', userId: 123, isActive: true }
CLI
node cli -h
[json-object] | node cli -r [region] -k [access-key-id] -s [secret-access-key]-m ["decrypt" OR "encrypt"] -y [kms-key-id] -c [encoding] Options: -m, --mode Mode [required] [choices: "encrypt", "decrypt"] -r, --region AWS Region [required] -k, --access-key-id AWS Access Key Id [required] -s, --secret-access-key AWS Secret Access Key [required] -y, --kms-key-id AWS KMS key id [required] -c, --encoding Encoding of ciphertext [required] -h, --help Show help [boolean] More examples at http://github.com/AlexanderMS/kms-json
- Encrypt:
$ echo '{"fullName": "John Connor", "userId": 123, "isActive": true }' | node cli -r "us-east-1" -y "arn:aws:kms:us-east-1:123456:key/a7c08fe1-b767-4883-8c94-85726" -k "AKIAIOSFODNN7EXAMPLE" -s "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" -m encrypt -c "base64"Provided JSON:Specified encoding: base64Encrypting...AQECAHgNzJL58IXknWSXEuLX+0y9U4qCdOkGemXt5OM+6ba0aAAAAKkwgaYGCSqGSIb3DQEHBqCBmDCBlQIBADCBjwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzkDMa60HA8ePR8vIECARCAYssYOWcDTa6SfQRce2brSAZuDZS2TdJGksWyXvSiILLOgRKlyigZKbImXlboeYzIUDeSwivIBprmC1glq+3UrTRoPl+fZRJA4wjnBhBeVyCjEBQhmsFl1warilpa8RMxzFV1
- Decrypt:
$ echo 'AQECAHgNzJL58IXknWSXEuLX+0y9U4qCdOkGemXt5OM+6ba0aAAAAKkwgaYGCSqGSIb3DQEHBqCBmDCBlQIBADCBjwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzkDMa60HA8ePR8vIECARCAYssYOWcDTa6SfQRce2brSAZuDZS2TdJGksWyXvSiILLOgRKlyigZKbImXlboeYzIUDeSwivIBprmC1glq+3UrTRoPl+fZRJA4wjnBhBeVyCjEBQhmsFl1warilpa8RMxzFV1' | node cli -r "us-east-1" -y "arn:aws:kms:us-east-1:123456:key/a7c08fe1-b767-4883-8c94-85726" -k "AKIAIOSFODNN7EXAMPLE" -s "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" -m decrypt -c "base64"Provided ciphertext:AQECAHgNzJL58IXknWSXEuLX+0y9U4qCdOkGemXt5OM+6ba0aAAAAKkwgaYGCSqGSIb3DQEHBqCBmDCBlQIBADCBjwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzkDMa60HA8ePR8vIECARCAYssYOWcDTa6SfQRce2brSAZuDZS2TdJGksWyXvSiILLOgRKlyigZKbImXlboeYzIUDeSwivIBprmC1glq+3UrTRoPl+fZRJA4wjnBhBeVyCjEBQhmsFl1warilpa8RMxzFV1Specified encoding: base64Decrypting...{"fullName": "John Connor", "userId": 123, "isActive": true }
For Windows command line (cmd.exe
), do not wrap the piped input with quotes, i.e., replace '{"fullName": "John Connor"... }'
with {"fullName": "John Connor"... }