# AWS Encryption SDK for JavaScript client for Node.js # @aws-crypto/client-node The *client-node* module includes all of the modules you need to use the AWS Encryption SDK for JavaScript with Node.js. * decrypt-node * encrypt-node * kms-keyring-node * material-management-node * caching-materials-manager-node * raw-aes-keyring-node * raw-rsa-keyring-node For code examples that show you how to these modules to create keyrings and encrypt and decrypt data, install the [example-node](https://github.com/aws/aws-encryption-sdk-javascript/tree/master/modules/example-node) module. ## install To install this module, use the npm package manager. For help with installation, see [https://www.npmjs.com/get-npm](https://www.npmjs.com/get-npm). ```sh npm install @aws-crypto/client-node ``` ## use For detailed code examples that show you how to these modules to create keyrings and encrypt and decrypt data, install the [example-node](https://github.com/aws/aws-encryption-sdk-javascript/tree/master/modules/example-node) module. ```javascript /* Start by constructing a keyring. We'll create a KMS keyring. * Specify an AWS Key Management Service (AWS KMS) customer master key (CMK) to be the * generator key in the keyring. This CMK generates a data key and encrypts it. * To use the keyring to encrypt data, you need kms:GenerateDataKey permission * on this CMK. To decrypt, you need kms:Decrypt permission. */ const generatorKeyId = 'arn:aws:kms:us-west-2:658956600833:alias/EncryptDecrypt' /* You can specify additional CMKs for the keyring. The data key that the generator key * creates is also encrypted by the additional CMKs you specify. To encrypt data, * you need kms:Encrypt permission on this CMK. To decrypt, you need kms:Decrypt permission. */ const keyIds = ['arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f'] /* Create the KMS keyring */ const keyring = new KmsKeyringNode({ generatorKeyId, keyIds }) /* Set an encryption context For more information: * https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/concepts.html#encryption-context */ const context = { stage: 'demo', purpose: 'simple demonstration app', origin: 'us-west-2' } /* Create a string to encrypt */ const cleartext = 'asdf' /* Encrypt the string using the keyring and the encryption context * the Encryption SDK returns an "encrypted message" (`result`) that includes the ciphertext * the encryption context, and the encrypted data keys. */ const { result } = await encrypt(keyring, cleartext, { encryptionContext: context }) /* Decrypt the result using the same keyring */ const { plaintext, messageHeader } = await decrypt(keyring, result) /* Get the encryption context */ const { encryptionContext } = messageHeader /* Verify that all values in the original encryption context are in the * current one. (The Encryption SDK adds extra values for signing.) */ Object .entries(context) .forEach(([key, value]) => { if (encryptionContext[key] !== value) throw new Error('Encryption Context does not match expected values') }) /* If the encryption context is verified, return the plaintext. */ ``` ## test ```sh npm test ``` ## Compatibility Considerations ### RSA Options Node.js crypto does not support all RSA key wrapping options supported by other other implementation of the AWS Encryption SDK The supported configurations are: * OAEP with SHA1 and MGF1 with SHA1 * PKCS1v15 ## license This SDK is distributed under the [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0), see LICENSE.txt and NOTICE.txt for more information.