来自文档的KMS操作GenerateDataKey https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html
We recommend that you use the following pattern to encrypt data locally in your application:
Use the GenerateDataKey operation to get a data encryption key.
Use the plaintext data key (returned in the Plaintext field of the response) to encrypt data locally, then erase the plaintext data key from memory.
此代码足以确保使用完后将明文密钥从内存中删除。
const aws = require("aws-sdk");
const kms = new aws.KMS({...config});
(async () => {
/** {Plaintext: Buffer, CiphertextBlob: Buffer} **/
let dataKey = await kms.generateDataKey({...options}).promise();
let encryptedString = MyEncryptionFunction(dataKey.Plaintext, "Hello World");
dataKey.Plaintext.fill(0); //overwrite the buffer with zeroes to erase from memory;
})();
function MyEncryptionFunction(key, dataString) {
let iv = crypto.randomBytes(16);
let cipher = crypto.createCipheriv("aes256", key, iv);
return cipher.update(dataString, "utf8", "hex") + cipher.final("hex");
}
可以安全地假设aws sdk不会将密钥泄漏/复制到内存的其他部分,并且与内置加密库的createCipheriv功能相同,因此只需覆盖{{1 }}带零的缓冲区应该从内存中充分擦除密钥吗?
答案 0 :(得分:2)
这是适用于JavaScript的AWS Encryption SDK所做的[1]。 实际上,如果Encryption SDK提供了所需的功能, 我建议只使用它。
aws-sdk将此值视为敏感值 并在Node.js [2]中创建一个隔离的Buffer。 这意味着明文键的作用域仅限于此功能 只要它不共享它, 没有其他副本,也没有人可以访问。 (通常的“没有坏人可以对您的服务器进行root访问”)
在节点[3] .. [4]中跟踪调用createCipheriv。 它会将密钥引用交给openSSL,而不是副本。
[2] https://github.com/aws/aws-sdk-js/pull/2622/files
[3] https://github.com/nodejs/node/blob/master/lib/crypto.js#L114
[4] https://github.com/nodejs/node/blob/master/src/node_crypto.cc#L4099