Panda-confidential-kms NPM

panda-confidential-kms

Extension to Panda-Confidential to leverage AWS KMS

We built Panda-Confidential to make TweetNaCl.js easier to use and extend without giving up auditability. This library extends Confidential with the AWS Key Management Service, leveraging a source of robust randomness and allowing only indirect access to cryptographic keys.

Installation

npm install panda-confidential panda-confidential-kms --save

Usage

import SDK from "aws-sdk"
# Add your credentials to SDK.config

import {confidential} from "panda-confidential"
import KMS from "panda-confidential-kms"
{randomBytes, key, decrypt, encrypt, randomBytes, encode} = KMS confidential(), SDK

Panda-Confidential-KMS replaces the default TweetNaCl.js randomBytes interface with generateRandom, using KMS to generate a cryptographically secure random value.

Panda-Confidential-KMS also adds a new key type, KMSKeyID. The encrypt function recognizes keys instantiated with KMS constructor. KMS is limited to encrypting data 4kB or shorter. So we use TweetNaCl.js to encrypt the data symmetrically (with a unique key for each operation) and then lock the key with KMS.

do ->
  myKey = key.KMS "alias/myKey"

  # Person A symmetrically encrypts their data.
  message = "Hello World!"
  ciphertext = await encrypt myKey, message

decrypt performs the reverse operation, unlocking the unique key with KMS and then using TweetNaCl.js to recover the plaintext.

  # Later, Person A decrypts that ciphertext.
  output = await decrypt myKey, ciphertext

encryption serverless lambda node PKE public key encryption symmetric encryption asymmetric encryption KMS panda sky

panda-generics panda-parchment

@infinitebrahmanuniverse/nolb-pand @everything-registry/sub-chunk-2405

5 years ago

5 years ago

5 years ago

5 years ago

6 years ago

6 years ago