节点:AWS KMS从内存中删除公钥
从KMS操作GenerateDataKey
.html的文档中>
We recommend that you use the following pattern to encrypt data locally in your application: Use the GenerateDataKey operation to get a data encryption key. Use the plaintext data key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory.
此代码足以确保使用完后将明文密钥从内存中删除。
const aws = require("aws-sdk"); const kms = new aws.KMS({...config}); (async () => { /** {Plaintext: Buffer, CiphertextBlob: Buffer} **/ let dataKey = await kms.generateDataKey({...options}).promise(); let encryptedString = MyEncryptionFunction(dataKey.Plaintext, "Hello World"); dataKey.Plaintext.fill(0); //overwrite the buffer with zeroes to erase from memory; })(); function MyEncryptionFunction(key, dataString) { let iv = crypto.randomBytes(16); let cipher = crypto.createCipheriv("aes256", key, iv); return cipher.update(dataString, "utf8", "hex") + cipher.final("hex"); }
可以安全地假设aws sdk不会将密钥泄漏/复制到内存的其他部分,并且与内置加密库的
createCipheriv
函数相同,因此只需将零覆盖Plaintext
缓冲区应该从内存中充分擦除密钥吗?
从KMS操作的文档中GenerateDataKey .html我们建议您使用以下模式来加密数据...
回答如下:这是适用于JavaScript的AWS Encryption SDK所做的[1]。实际上,如果Encryption SDK提供了所需的功能,我建议只使用它。