keboola/object-encryptor

JSON object encryption library

Wednesday, January 31, 2018
by Keboola
Repository
8 Watchers
0 Stars
1,742 Installations

PHP
1 Dependents
0 Suggesters
0 Forks
1 Open issues
13 Versions
18 % Grown

The README.md

, _(*1)

Object Encryptor

Library provides interface for encrypting PHP arrays, stdclass objects and scalars. A cipher may contain additional metadata which limits the conditions under which it may be decrypted. The library uses the defuse/php-encryption encryption method with AWS KMS or Azure Key Vault managed keys or Google Cloud KMS., _(*2)

Requirements

The library supports PHP 8.1+., _(*3)

Usage

Entry point to the library is the ObjectEncryptorFactory class which creates instances of ObjectEncryptor class which has encryptGeneric, encryptForComponent, encryptForProject, encryptForConfiguration, encryptForProjectWide encryptForBranchType, encryptForBranchTypeConfiguration, encryptForProjectWideBranchType and corresponding decryptXXX methods. The actual encryption and decryption mechanisms are implemented using Crypto Wrappers. Crypto wrappers implement different verification methods using cypher metadata., _(*4)

Usage

Initialize the library using the factory class:, _(*5)

$encryptor = ObjectEncryptorFactory::getEncryptor(
    new EncryptorOptions(
        'my-stack',
        $kmsKeyId,
        $kmsRegion,
        $akvUrl
    )
);
$encryptor->encryptForComponent('secret', 'my-component');

Alternatively, you can use getAwsEncryptor and getAzureEncryptor and getGcpEncryptor to get cloud specific object encryptors., _(*6)

Wrappers

Depending on the provided keys and parameters, the following wrappers will be available:, _(*7)

GenericKMSWrapper - AWS KMS wrapper for KBC::Secure:: ciphers, requires kmsKeyId and kmsRegion. Also, the runner must have AWS credentials available (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
ComponentKMSWrapper - AWS KMS wrapper for KBC::ComponentSecure:: ciphers, requires kmsKeyId, kmsRegion, stackId and componentId
ProjectKMSWrapper - AWS KMS wrapper for KBC::ProjectSecure:: ciphers, requires kmsKeyId, kmsRegion, stackId, componentId and projectId.
ConfigurationKMSWrapper - AWS KMS wrapper for KBC::ConfigSecure:: ciphers, requires kmsKeyId, kmsRegion, stackId, componentId, projectId and configurationId.
ProjectWideKMSWrapper - AWS KMS wrapper KBC::ProjectWideSecure:: ciphers, requires kmsKeyId, kmsRegion, stackId, and projectId.
BranchTypeProjectKMSWrapper - AWS KMS wrapper KBC::BranchTypeSecure:: ciphers, requires kmsKeyId, kmsRegion, stackId, componentId, projectIdandbranchType`.
BranchTypeConfigurationKMSWrapper - AWS KMS wrapper KBC::BranchTypeConfigSecure:: ciphers, requires kmsKeyId, kmsRegion, stackId, componentId, projectId, configurationId and branchType.
BranchTypeProjectWideKMSWrapper - AWS KMS wrapper KBC::ProjectWideBranchTypeSecure:: ciphers, requires kmsKeyId, kmsRegion, stackId, projectId and branchType.
GenericAKVWrapper - Azure Key Vault wrapper for KBC::SecureKV:: ciphers, requires akvUrl. Also, the runner must have AWS credentials available (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
ComponentAKVWrapper - Azure Key Vault wrapper for KBC::ComponentSecureKV:: ciphers, requires akvUrl, stackId and componentId
ProjectAKVWrapper - Azure Key Vault wrapper for KBC::ProjectSecureKV:: ciphers, requires akvUrl, stackId, componentId and projectId.
ConfigurationAKVWrapper - Azure Key Vault wrapper for KBC::ConfigSecureKV:: ciphers, requires akvUrl, stackId, componentId, projectId and configurationId.
ProjectWideAKVWrapper - Azure Key Vault wrapper KBC::ProjectWideSecureKV:: ciphers, requires akvUrl, stackId, and projectId.
BranchTypeProjectAKVWrapper - Azure Key Vault wrapper KBC::BranchTypeSecureKV:: ciphers, requires akvUrl, stackId, componentId, projectIdandbranchType`.
BranchTypeConfigurationAKVWrapper - Azure Key Vault wrapper KBC::BranchTypeConfigSecureKV:: ciphers, requires akvUrl, stackId, componentId, projectId, configurationId and branchType.
BranchTypeProjectWideAKVWrapper - Azure Key Vault wrapper KBC::ProjectWideBranchTypeSecureKV:: ciphers, requires akvUrl, stackId, projectId and branchType.
GenericGKMSWrapper - Google KMS wrapper for KBC::SecureGKMS:: ciphers, requires gkmsKeyId. Also, the runner must have AWS credentials available (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
ComponentGKMSWrapper - Google KMS wrapper for KBC::ComponentSecureGKMS:: ciphers, requires gkmsKeyId, stackId and componentId
ProjectGKMSWrapper - Google KMS wrapper for KBC::ProjectSecureGKMS:: ciphers, requires gkmsKeyId, stackId, componentId and projectId.
ConfigurationGKMSWrapper - Google KMS wrapper for KBC::ConfigSecureGKMS:: ciphers, requires gkmsKeyId, stackId, componentId, projectId and configurationId.
ProjectWideGKMSWrapper - Google KMS wrapper KBC::ProjectWideSecureGKMS:: ciphers, requires gkmsKeyId, stackId, and projectId.
BranchTypeProjectGKMSWrapper - Google KMS wrapper KBC::BranchTypeSecureGKMS:: ciphers, requires gkmsKeyId, stackId, componentId, projectIdandbranchType`.
BranchTypeConfigurationGKMSWrapper - Google KMS wrapper KBC::BranchTypeConfigSecureGKMS:: ciphers, requires gkmsKeyId, stackId, componentId, projectId, configurationId and branchType.
BranchTypeProjectWideGKMSWrapper - Google KMS wrapper KBC::ProjectWideBranchTypeSecureGKMS:: ciphers, requires gkmsKeyId, stackId, projectId and branchType.

During encryption, the wrapper has to be specified (each encryptXXX method uses one). During decryption, the wrapper is chosen automatically by the cipher prefix. This means that decryptForConfiguration method is also capable of decrypting ciphers created by encryptForComponent or encryptForProject ciphers. If the wrapper is not available (key or parameters are not set or equal to those in the cipher), the value cannot be deciphered and an exception is thrown., _(*8)

Development

Prerequisites: * configured access to cloud providers * installed Azure CLI az (and run az login) * installed AWS CLI aws (and run aws configure --profile YOUR_AWS_PROFILE_NAME) * installed GCP CLI gcloud (and run gcloud auth login or gcloud auth application-default login) * installed terraform (https://www.terraform.io) and jq (https://stedolan.github.io/jq) to setup local env * installed docker to run & develop the app, _(*9)

export NAME_PREFIX= # your name/nickname to make your resource unique & recognizable
export AWS_PROFILE= # your AWS profile name e.g. Keboola-Dev-Platform-Services-AWSAdministratorAccess

cat <<EOF > ./provisioning/local/terraform.tfvars
name_prefix = "${NAME_PREFIX}"
EOF

terraform -chdir=./provisioning/local init -backend-config="key=object-encryptor/${NAME_PREFIX}.tfstate"
terraform -chdir=./provisioning/local apply
./provisioning/local/update-env.sh aws # or azure or gcp

docker compose run --rm tests

License

MIT licensed, see LICENSE file., _(*10)

json encryption

13/12 2017

0.0.1.0

JSON object encryption library

Sources Download

MIT

The Requires

The Development Requires

by Keboola

json encryption

library object-encryptor

JSON object encryption library

keboola/object-encryptor

The README.md

Object Encryptor

Requirements

Usage

Usage

Wrappers

Development

License

The Versions

dev-master

The Requires

The Development Requires

by Keboola

0.1.2

The Requires

The Development Requires

by Keboola

0.1.1

The Requires

The Development Requires

by Keboola

0.1.0

The Requires

The Development Requires

by Keboola

dev-docker

The Requires

The Development Requires

by Keboola

0.0.8

The Requires

The Development Requires

by Keboola

0.0.6

The Requires

The Development Requires

by Keboola

0.0.7

The Requires

The Development Requires

by Keboola

0.0.5

The Requires

The Development Requires

by Keboola

0.0.4

The Requires

The Development Requires

by Keboola

0.0.3

The Requires

The Development Requires

by Keboola

0.0.2

The Requires

The Development Requires

by Keboola

0.0.1

The Requires

The Development Requires

by Keboola