README
¶
Dyno
Encrypt and decrypt DynamoDB table attribute value maps using either AWS KMS or AES with a password. Useful for sending clients the LastEvaluatedKey from the result of a DynamoDB Query or Scan operation, for paginating results without leaking sensitive information.
License
Dyno is available under the terms of the Mozilla Public License 2.0.
Qube Cinema © 2023
Documentation
¶
Overview ¶
Package dyno provides a simple way to encrypt and decrypt dynamodb items with a KMS key. It is useful for passing sensitive information to a client. For example, the LastEvaluatedKey returned by a dynamodb query can be encrypted and passed to a client. The client can then pass the encrypted LastEvaluatedKey back to the server, which can decrypt it and use it to continue the query.
Example:
// Create a new CryptedItem
cryptedItem := dyno.NewCryptedItem("alias/my-kms-key", kmsClient)
// Encrypt the lastEvaluatedKey
encryptedLastEvaluatedKey, err := cryptedItem.Encrypt(ctx, map[string]string{
"clientID": "1234",
}, lastEvaluatedKey)
// Pass the encryptedLastEvaluatedKey to the client
// Client passes the encryptedLastEvaluatedKey back to the server
// Decrypt the encryptedLastEvaluatedKey
lastEvaluatedKey, err := cryptedItem.Decrypt(ctx, map[string]string{
"clientID": "1234",
}, encryptedLastEvaluatedKey)
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type ItemCrypter ¶
type ItemCrypter interface {
Encrypt(ctx context.Context, item map[string]types.AttributeValue) (string, error)
Decrypt(ctx context.Context, item string) (map[string]types.AttributeValue, error)
}
ItemCrypter is an interface that encrypts and decrypts dynamodb items.
func NewAesItemCrypter ¶
func NewAesItemCrypter(password, salt []byte) (ItemCrypter, error)
NewAesItemCrypter creates a new ItemCrypter that uses AES encryption.
func NewKmsItemCrypter ¶
func NewKmsItemCrypter(kmsKeyID string, kmsClient *kms.Client) ItemCrypter
Source Files