节点：AWS KMS从内存中删除公钥

从KMS操作GenerateDataKey .html的文档中>

We recommend that you use the following pattern to encrypt data locally in your application:

Use the GenerateDataKey operation to get a data encryption key.

Use the plaintext data key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory.
此代码足以确保使用完后将明文密钥从内存中删除。

const aws = require("aws-sdk");
const kms = new aws.KMS({...config});

(async () => {

    /** {Plaintext: Buffer, CiphertextBlob: Buffer} **/
    let dataKey = await kms.generateDataKey({...options}).promise();

    let encryptedString = MyEncryptionFunction(dataKey.Plaintext, "Hello World");

    dataKey.Plaintext.fill(0); //overwrite the buffer with zeroes to erase from memory;
})();

function MyEncryptionFunction(key, dataString) {
    let iv = crypto.randomBytes(16);
    let cipher = crypto.createCipheriv("aes256", key, iv);
    return cipher.update(dataString, "utf8", "hex") + cipher.final("hex");
}
可以安全地假设aws sdk不会将密钥泄漏/复制到内存的其他部分，并且与内置加密库的createCipheriv函数相同，因此只需将零覆盖Plaintext缓冲区应该从内存中充分擦除密钥吗？

从KMS操作的文档中GenerateDataKey .html我们建议您使用以下模式来加密数据...