Open Ahmadre opened 10 months ago
franky47
commented
10 months ago I'm not familiar with their API, but if it lets you manage 32 byte keys (for AES 256) and get access to the raw key material, you should be able to format it in a way the underlying encryption library understands:
k1.aesgcm256.{base64url encoded key material}
Ahmadre
commented
10 months ago I'm not familiar with their API, but if it lets you manage 32 byte keys (for AES 256) and get access to the raw key material, you should be able to format it in a way the underlying encryption library understands:
k1.aesgcm256.{base64url encoded key material}
Thank you for your quick answer :).
Actually that's not possible to access the raw key material, because that's the security and controlling of encryption/decryption behind KMS providers. Keys are living encrypted in Google Cloud Server and can never be exposed in any way. Rather you can call encrypt/decrypt methods which will be executed in the GCP KMS.
I forked your repository and added a WIP support for GCP KMS: https://github.com/Ahmadre/prisma-field-encryption/commit/b03d2c550855eb0d2d9cd71cc48db4aa04fdcd1b
franky47
commented
10 months ago We could envision a way to configure the cryptographic layer to use such external providers, in addition to doing it locally by default.
A sort of plugin architecture would be best suited for this, so other KMS can be added in the future (eg: Hashicorp Vault, AWS, Azure etc). Even better would be to follow an existing common interface, if such a thing exists.
masterbater
commented
10 months ago Please add AWS KMS
franky47
commented
10 months ago Would you like to open a PR?
I have my own Key on Google Cloud Platform in KMS with Key Rotation and all of that.
Can I use it here as my encryption key?
see: https://www.npmjs.com/package/@google-cloud/kms