objection-encryption v1.0.1
Objection Encryption
This is an Objection.js plugin that enables field level encryption and decryption of values stored in a database.
Usage
// Import plugin
const ObjectionEncryption = require('objection-encryption');
// Create an instance with the fields that should be encrypted on insert and decrypted on find.
const Encryption = ObjectionEncryption({
fields: ['ssn']
});
// Extend your Objection Model with the Encryption instance
class Account extends Encryption(Model) {
static get tableName() {
return 'Account';
}
}
const insertAccount = await Account.query()
.insert({ name: 'Jennifer', ssn: 'AAA-GG-SSSS' });
console.log(insertAccount);
//
// Account {
// name: 'Jennifer',
// ssn: 'enc:XX+9B5624XevryfUnJew==:olJo1Uv3XCzv1ZRCW5Toiw==',
// id: 2
// }
//
const findAccount = await Account.query()
.findById(2);
console.log(findAccount);
//
// Account {
// name: 'Jennifer',
// ssn: 'AAA-GG-SSSS',
// id: 2
// }
//Configuration
You can initialize the library with several options
const crypto = require('crypto');
const ObjectionEncryption = require('objection-encryption');
// Create an instance with the fields that should be encrypted on insert and decrypted on find.
const Encryption = ObjectionEncryption({
fields: ['ssn'],
algorithm: 'aes-256-gcm',
aesKey: crypto.randomBytes(32)
});| Option | Default | Description |
|---|---|---|
feilds | [] | Fields that should be encrypted and decrypted |
algorithm | aes-256-gcm | The encryption algorithm to use, options aes-256-gcm aes-256-cbc |
aesKey | null | Key to use for encrytion |
Crypto
By default aes-256-gcm is used for encryption that requires a 32 randomly generated key. Each encrypted value includes an IV, the IV is unique per encryption.
Format
Example encrypted value
enc:v1:VUKkbuDKaTeV17MF6VzUiQ==:VWmo5uwsTbSacm13u704rjXg+lGzAZsJBdXAtgQeThe value is formatted into 4 parts separated by the : character.
| Index | Value | Description |
| ------------------- | ------------------ | ----------- |
| 0 | enc | prefix identifier |
| 1 | v1 | version |
| 2 | VUKkbuDKaTeV17MF6VzUiQ== | initialization vector (IV) (base64) |
| 3 | VWmo5uwsTbSacm13u704rjXg+lGzAZsJBdXAtgQe | ciphertext (base64) |
Hashicorp Vault
objection-encryption can be configured to use and AES key from Hashicorp Vault. This is only compatible with the default aes-256-gcm algorithm.
Setup
You must generate an exportable key from Vault, this will assume you have Vault installed on your local machine
Start Vault in Dev mode
vault server -devEnable transit encryption
vault secrets enable transitCreate a key that is exportable with the exportable flag set to true.
curl --header "X-Vault-Token: ..." \
--request POST \
--data '{"type": "aes256-gcm96", "exportable": true}' \
http://127.0.0.1:8200/v1/transit/keys/objection-encryptionGet the key details
curl --header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/transit/export/encryption-key/objection-encryption/1Note
The key returned from Vault will be base64 encoded, to pass this to objection-encryption in the correct format create a Buffer with base64 input encoding.
const Encryption = ObjectionEncryption({
fields: ['ssn'],
aesKey: Buffer.from(vaultKey, 'base64)
});