But for the sake of completeness: AES 256-bit ("aes256") If you're good with that, move on! You don't even need to set algorithm in your config or the CRYPTEX_ALGORITHM environment variable. The recommended and default algorithm is aes256. This is useful if you're plugging in an algorithm that doesn't require a pre-set key to be used. Key CRYPTEX_KEYSOURCE_PLAINTEXT_KEY: Your key, in plain text No key ("none") You'll also want to set keySourceEncoding in your config (or the CRYPTEX_KEYSOURCEENCODING environment variable) to either base64 or hex - however you've stringified your key. Useful for local development and testing, this allows the key to be saved in plain text. (Default: 4000) Plain text ("plaintext")ĭANGER. Timeout CRYPTEX_KEYSOURCE_HTTP_TIMEOUT: The number of milliseconds after which to fail the download. Url CRYPTEX_KEYSOURCE_HTTP_URL: The URL to the key file to download You'll need to be an expert in locking your key server down for this to be anywhere near secure.Īs with file, if your key file is something other than binary-encoded, set keySourceEncoding in your config, or set the CRYPTEX_KEYSOURCEENCODING environment variable, to either base64 or hex. If you're using anything other than an https URL in production, you're definitely doing it wrong. ONLY USE THIS IF YOU ABSOLUTELY KNOW WHAT YOU'RE DOING. Path CRYPTEX_KEYSOURCE_FILE_PATH: The path to the key file Download via http(s) ("http")ĭANGER. Is your key file something other than binary-encoded? Set keySourceEncoding in your config, or set the CRYPTEX_KEYSOURCEENCODING environment variable, to either base64 or hex. Note, however, that it is your responsibility to make sure that key file stays secure and inaccessible to prying eyes! If your secure key is available in a file, use this method. The highly recommended way to allow it to access KMS in production (assuming it's in production on AWS servers) is to attach an IAM role to the EC2 node with permission to access the master key you're using. Otherwise, please see Amazon's guide on configuring the SDK to provide it with credentials. If you're using npm>=3, it will use the same object as any you might have in your local project, carrying over the configuration. If not specified, the config already loaded into aws-sdk is used.Ī note about aws-sdk configuration: The KMS keySource uses Amazon's official Node.js aws-sdk library. Region CRYPTEX_KEYSOURCE_KMS_REGION: The AWS region (such as us-east-1) in which the master KMS key can be found. Aws kms generate-data-key-without-plaintext \ĭataKey CRYPTEX_KEYSOURCE_KMS_PATH: The base64 string you got when you ran that command above.
0 Comments
Leave a Reply. |