kms-vault
This kms-vault is encrypt/decrypt tool inspired by ansible-vault.
"ansible-vault" uses secret passphrase when encrypt/decrypt data. "kms-vault" uses CMK that managed by Amazon KMS instead of secret passphrase ,
Usage
Instalation
$ npm install kms-vault
Commandline
$ $(npm bin)/kms-vault
Usage: kms-vault [options] [command]
Commands:
decrypt [encryptedBase64String] encrypted base64 string to plain string use CMK.
encrypt [plainStr] plain string to encrypted base64 use CMK
datakey generate datakey use CMK
Options:
-h, --help output usage information
-V, --version output the version number
-r, --region <region> AWS_REGION(default is `us-east-1`)
-k, --key [kmsKeyAlias] KMS CMK alias name
$ $(npm bin)/kms-vault -k alias/forTest encrypt somePassword
AQECAHhyvC+4FgLo7XdXfh5o6JgnT/l9P+Sq+EPVjq7mGLAIIwAAAGowaAYJKoZIhvcNAQcGoFswWQIBADBUBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDCJgX/XbBNkM1kifLwIBEIAnKfV3M+OeH9ErdYUZxYN09EY9vD0HvTH+P9bOTrjNGKKWzTQ2D1wV
$ $(npm bin)/kms-vault -k alias/forTest decrypt AQECAHhyvC+4FgLo7XdXfh5o6JgnT/l9P+Sq+EPVjq7mGLAIIwAAAGowaAYJKoZIhvcNAQcGoFswWQIBADBUBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDCJgX/XbBNkM1kifLwIBEIAnKfV3M+OeH9ErdYUZxYN09EY9vD0HvTH+P9bOTrjNGKKWzTQ2D1wV
somePassword
Decrypt encrypted config value in your code (async with Promise)
index.js
const co = ;const KmsConfig = KmsConfig; ;config/default.js
"use strict";const encrypted = KmsConfigencrypted; moduleexports = db: user: "hogehoge" password: "kms-vault": awsOpts: region: "us-east-1" Decrypt encrypted config value in your code (sync)
"use strict";const KmsConfig = KmsConfig;const d = awsOpts: region: "us-east-1" ; const decryptedString = d;console;