Class: ActiveCipherStorage::Providers::AwsKmsProvider

Inherits:

Base

• Object
• Base
• ActiveCipherStorage::Providers::AwsKmsProvider

Includes:

KeyUtils

Defined in:

lib/active_cipher_storage/providers/aws_kms_provider.rb

Constant Summary

PROVIDER_ID =

"aws_kms"

Instance Method Summary

• #decrypt_data_key(encrypted_key) ⇒ Object
• #generate_data_key ⇒ Object
• #initialize(key_id:, region: nil, endpoint: nil, access_key_id: nil, secret_access_key: nil, encryption_context: {}, client: nil) ⇒ AwsKmsProvider constructor

  A new instance of AwsKmsProvider.

• #key_id ⇒ Object
• #provider_id ⇒ Object

Constructor Details

#initialize(key_id:, region: nil, endpoint: nil, access_key_id: nil, secret_access_key: nil, encryption_context: {}, client: nil) ⇒ AwsKmsProvider

Returns a new instance of AwsKmsProvider.

# File 'lib/active_cipher_storage/providers/aws_kms_provider.rb', line 8

def initialize(key_id:, region: nil, endpoint: nil, access_key_id: nil,
               secret_access_key: nil, encryption_context: {}, client: nil)
  @key_id              = key_id
  @region              = region
  @endpoint            = endpoint
  @access_key_id       = access_key_id
  @secret_access_key   = secret_access_key
  @encryption_context  = encryption_context || {}
  @client_override     = client
end

Instance Method Details

#decrypt_data_key(encrypted_key) ⇒ Object

# File 'lib/active_cipher_storage/providers/aws_kms_provider.rb', line 36

def decrypt_data_key(encrypted_key)
  resp = kms_client.decrypt(
    ciphertext_blob:    encrypted_key,
    encryption_context: @encryption_context
  )
  resp.plaintext.dup
rescue Aws::KMS::Errors::InvalidCiphertextException,
       Aws::KMS::Errors::IncorrectKeyException => e
  raise Errors::KeyManagementError,
        "KMS Decrypt failed — wrong key or tampered DEK: #{e.message}"
rescue Aws::KMS::Errors::ServiceError => e
  raise Errors::KeyManagementError, "KMS Decrypt failed: #{e.message}"
ensure
  resp&.plaintext&.then { |k| zero_bytes!(k) }
end

#generate_data_key ⇒ Object

# File 'lib/active_cipher_storage/providers/aws_kms_provider.rb', line 22

def generate_data_key
  resp = kms_client.generate_data_key(
    key_id:             @key_id,
    key_spec:           "AES_256",
    encryption_context: @encryption_context
  )
  { plaintext_key: resp.plaintext.dup, encrypted_key: resp.ciphertext_blob.dup }
rescue Aws::KMS::Errors::ServiceError => e
  raise Errors::KeyManagementError, "KMS GenerateDataKey failed: #{e.message}"
ensure
  # AWS SDK may retain a reference to resp.plaintext; zero our copy too.
  resp&.plaintext&.then { |k| zero_bytes!(k) }
end

#key_id ⇒ Object

# File 'lib/active_cipher_storage/providers/aws_kms_provider.rb', line 20

def key_id      = @key_id

#provider_id ⇒ Object

# File 'lib/active_cipher_storage/providers/aws_kms_provider.rb', line 19

def provider_id = PROVIDER_ID