Blog 5 november, 2018

Using AWS Key Management (KMS) to encrypt and decrypt in AWS Lambda (NodeJS)

AWS Key Management (KMS) is a fully managed service that makes it easy to create and control encryption keys on AWS which can then be utilised to encrypt and decrypt data in a safe manner. The service leverages Hardware Security Modules (HSM) under the hood which in return guarantees security and integrity of the generated keys.

You can enable AWS KMS to store your data-at-rest on many AWS storage solutions (like DynamoDB and EBS). However in our Lambda functions we would like to encrypt (and decrypt) certain values on runtime. So we needed some code to encrypt and decrypt. Took me some while to figure it out, so here it is.

Here is the function to encrypt any string against the AWS KMS Key. You can create a KMS Key through AWS IAM in the console or (much better) AWS CloudFormation.

const kmsClient = new AWS.KMS({region: 'eu-west-1'});

/**
 * Encrypt
 */
async function encryptString(text: string): Promise<string> {

    const paramsEncrypt = {
        KeyId: 'arn:aws:kms:eu-west-1:........',
        Plaintext: new Buffer(text)
    };

    const encryptResult = await kmsClient.encrypt(paramsEncrypt).promise();
    // The encrypted plaintext. When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.
    if (Buffer.isBuffer(encryptResult.CiphertextBlob)) {
        return Buffer.from(encryptResult.CiphertextBlob).toString('base64');
    } else {
        throw new Error('Mayday Mayday');
    }
}

And we can use the result (an encrypted string) to store it in DynamoDB, Aurora or send it wherever we want. So in the end we would like to decrypt it as well. So …

/**
 * Decrypt
 */
async function decryptEncodedstring(encoded: string): Promise<string> {

    const paramsDecrypt: AWS.KMS.DecryptRequest = {
        CiphertextBlob: Buffer.from(encoded, 'base64')
    };

    const decryptResult = await kmsClient.decrypt(paramsDecrypt).promise();
    if (Buffer.isBuffer(decryptResult.Plaintext)) {
        return Buffer.from(decryptResult.Plaintext).toString();
    } else {
        throw new Error('We have a problem');
    }
}

Hope it helps!

References

  • Example code including test function available in my Github as well

 

Meer blogs

Techblog Blogs

Nexus configuration for docker

In this blogpost, we will configure the Nexus repository that we introduced in the previous post. We will create a basic repository setup with three levels: snapshot repository for our…

Barry van Acker
23 september, 2018

Techblog Blogs

Basic Gatling load script with feeders

A blogpost about gatling, a nice tool to loadtest your application. This blogpost shows you how to manipulate your data that you send to your rest endpoint. Source: Basic Gatling…

Dirk Janssen
15 maart, 2017

Techblog Blogs

JBoss Datavirtualization change OData row limit

Introduction With JBoss Datavirtualization it is possible to expose your virtual databases as a REST service. By default when an exposed table has a primary key; Teiid Designer (the development…

Thomas Janssen
4 december, 2017

Techblog Architectuur

An introduction to iPaaS

In the IT industry, among others, you’re often only as good as your last success. As Rogers (2016) mentions: “In a world of rapidly changing technology and customer needs, it…

Rubén Middeljans
30 maart, 2020

Techblog Blogs

CSSconf in 5 minuten

Rick en Michel van ilionx Interactive Marketing zijn het afgelopen weekend in Berlijn geweest voor CSSconf en JSConf EU 2019. Afgelopen vrijdag, 31 mei, was CSSConf. Voor wie er niet…

Michel Vollebregt
3 juni, 2019