Tenant Security Client NodeJS

The SDK is published to NPM and can be installed via

npm add @ironcorelabs/tenant-security-nodejs

The minimum Node version supported by this library is Node 10. This library also contains TypeScript definitions.

Quickstart

This is a minimal example of round tripping a document that gets encrypted to a key controlled by a tenants KMS.

const {TenantSecurityKMSClient, RequestMetadata} = require("@ironcorelabs/tenant-security-nodejs");

// Initialize the client with a Tenant Security Proxy domain and API key.
// Typically this would be done once when the application or service initializes
const client = new TenantSecurityKMSClient(PROXY_ENDPOINT, API_KEY);

// Create a map containing your document data
const document = {
    ssn: Buffer.from("000-12-2345", "utf-8"),
    address: Buffer.from("2825-519 Stone Creek Rd, Bozeman, MT 59715", "utf-8"),
    name: Buffer.from("Jim Bridger", "utf-8")
};

// Create metadata used to associate this document to a tenant, name the document, and
// identify the service or user making the call
const metadata = new RequestMetadata(TENANT_ID, "serviceOrUserId", "PII");

// Request a key from the KMS and use it to encrypt the document
client.encryptDocument(documentMap, metadata)
    .then((encryptResult) => {
        /* … persist the EDEK and encryptedDocument to your persistence layer … */
        const edek = encryptResult.edek;
        const encryptedDocument = encryptResult.encryptedDocument;

        /* … retrieve the encrypted fields and EDEK from your persistence layer */

        // Recreate the encrypted document from persisted data
        const recreated = {encryptedDocument, edek};
        // Decrypt the document back to plaintext
        return client.decryptDocument(recreated, metadata);
    })
    .then((decryptedDoc) => {
        // Access decrypted fields from the doc
        const name = decryptedDoc.name.toString("utf-8");
    })

SDK Documentation

The Node SDK contains several classes which provide the functionality necessary to communicate with the Tenant Security Proxy.

class RequestMetadata

constructor(tenantId, requestingUserOrServiceId, dataLabel, requestId?, otherData?)

Parameters

Parameter Name Value Description
tenantId string Unique ID of tenant that is performing the operation.
requestingUserOrServiceId string Unique ID of user/service that is processing data.
dataLabel string Classification of data being processed.
[requestId] string Unique ID that ties host application request ID to Tenant Security Proxy logs.
[otherData] {[string]: string} Additional key/value pairs to add to metadata which will be logged in full within the Tenant Security Proxy logs.

class TenantSecurityKmsClient

constructor(tspDomain: string, apiKey: string)

Parameters

Parameter Name Value Description
tspDomain string Domain where the Tenant Security Proxy is running in your infrastructure.
apiKey string Key to use for requests to the Tenant Security Proxy.
isCiphertext(bytes)

Check if the provided bytes are a valid encrypted document.

Parameters

Parameter Name Value Description
bytes Buffer Bytes to verify.

Response

Returns a boolean denoting if the provided bytes are valid ciphertext.

encryptDocument(document, metadata)

Encrypt the provided document. Documents are provided as a map of fields from the document id/name (string) to bytes (Buffer). Uses the Tenant Security Proxy to generate a new document encryption key (DEK), encrypt that key (EDEK) and then uses the DEK to encrypt all of the provided document fields.

Parameters

Parameter Name Value Description
document {[string]: Buffer} Document to encrypt. Each field in the provided document will be encrypted with the same key.
metadata RequestMetadata Metadata for this operation.

Response

Returns a Promise which resolves with a map from each fields id/name to encrypted bytes as well as the EDEK and discards the DEK.

{
    "encryptedDocument": {[string]: Buffer},
    "edek": string
}
encryptStream(inputStream, outputStream, metadata)

Encrypt the provided stream of bytes without having to read in the full bytes. Writes out the encrypted bytes to the output stream.

Parameters

Parameter Name Value Description
inputStream NodeJS.ReadableStream A stream of readable bytes.
outputStream NodeJS.WritableStream A writable destination stream
metadata RequestMetadata Metadata for this operation.

Response

Returns a Promise which resolves with the EDEK and discards the DEK. Once the Promise resolves all of the encrypted bytes will have been written to the output stream.

{
    "edek": string
}
encryptDocumentWithExistingKey(document, metadata)

Encrypt the provided document reusing an existing encrypted document encryption key (EDEK). Makes a call out to the Tenant Security Proxy to decrypt the EDEK and then uses the resulting key (DEK) to encrypt the document. This allows callers to update/re-encrypt data that has already been encrypted with an existing key. For example, if multiple columns in a DB row are all encrypted to the same key and one of those columns needs to be updated, this method allows the caller to update a single column without having to re-encrypt every field in the row with a new key.

Parameters

Parameter Name Value Description
document.edek string Existing EDEK used to encrypt documents.
document.plaintextDocument {[string]: Buffer} Collection of fields to re-encrypt with the existing key.
metadata RequestMetadata Metadata for this operation.

Response

Returns a Promise which resolves with a map from each fields id/name to encrypted bytes as well as the EDEK and discards the DEK.

{
    "encryptedDocument": {[string]: Buffer},
    "edek": string
}
encryptDocumentBatch(documentList, metadata)

Encrypt a map of documents from the ID of the document to the list of fields to encrypt. Makes a call out to the Tenant Security Proxy to generate a collection of new DEK/EDEK pairs for each document ID provided. This function supports partial failure so it returns two objects, one of document ID to successfully encrypted document and one of document ID to a TenantSecurityClientException.

Parameters

Parameter Name Value Description
documentList {[string]: {[string]: Buffer}} Collection of fields to encrypt from the field name to the bytes to encrypt.
metadata RequestMetadata Metadata for this operation.

Response

Returns a Promise which resolves with a collection of successes and failures that occurred during operation. The keys of each map returned will be the same keys provided in the original document list.

{
    "successes": {[string]: {
        "encryptedDocument": {[string]: Buffer},
        "edek": string
    }},
    "failures": {[string]: TenantSecurityClientException},
    "hasSuccesses": boolean,
    "hasFailures": boolean,
}
encryptDocumentBatchWithExistingKey(documentList, metadata)

Re-encrypt a existing map of documents from the ID of the document to the previously encrypted document. Makes a call out to the Tenant Security Proxy to decrypt the EDEKs present in each provided document. This function supports partial failure so it returns two objects, one of document ID to successfully re-encrypted document and one of document ID to a TenantSecurityClientException.

Parameters

Parameter Name Value Description
documentList {[string]: {plaintextDocument: {[string]: Buffer}, edek: string}} Collection of plaintext documents with the EDEK that was previously used to encrypt them.
metadata RequestMetadata Metadata for this operation.

Response

Returns a Promise which resolves with a collection of successes and failures that occurred during operation. The keys of each map returned will be the same keys provided in the original document list.

{
    "successes": {[string]: {
        "encryptedDocument": {[string]: Buffer},
        "edek": string
    }},
    "failures": {[string]: TenantSecurityClientException},
    "hasSuccesses": boolean,
    "hasFailures": boolean,
}
decryptDocument(encryptedDoc, metadata)

Decrypt the provided document. Decrypts the documents encrypted document key (EDEK) using the Tenant Security Proxy and uses it to decrypt and return the document bytes. The DEK is then discarded.

Parameters

Parameter Name Value Description
encryptedDoc.edek string EDEK used to encrypt the document.
encryptedDoc.encryptedDocument {[string]: Buffer} Collection of fields to decrypt from the field name to the bytes to decrypt.
metadata RequestMetadata Metadata for this operation.

Response

Returns a Promise which resolves with each documents decrypted field bytes.

{
    "plaintextDocument": {[string]: Buffer},
    "edek": string
}
decryptStream(edek: string, inputStream, outputStream, metadata)

Use the provided EDEK to decrypt the bytes from the provided input stream and write the decrypted bytes out to the provided output stream.

Parameters

Parameter Name Value Description
edek string EDEK that was used to encrypt the bytes in the provided inputStream.
inputStream NodeJS.ReadableStream A stream of readable encrypted bytes.
outputStream NodeJS.WritableStream A writable destination stream
metadata RequestMetadata Metadata for this operation.

Response

Returns a Promise which resolves with the EDEK and discards the DEK. Once the Promise resolves all of the decrypted bytes will have been written to the output stream.

{
    "edek": string
}
decryptDocumentBatch(documentList, metadata)

Decrypt a map of documents from the ID of the document to its encrypted content. Makes a call out to the Tenant Security Proxy to decrypt all of the EDEKs in each document. This function supports partial failure so it returns two objects, one of document ID to successfully decrypted document and one of document ID to a TenantSecurityClientException.

Parameters

Parameter Name Value Description
documentList {[string]: {encryptedDocument: {[string]: Buffer}, edek: string}} Collection of encrypted documents with the EDEK that was previously used to encrypt them.
metadata RequestMetadata Metadata for this operation.

Response

Returns a Promise which resolves with a collection of successes and failures that occurred during operation. The keys of each map returned will be the same keys provided in the original document list.

{
    "successes": {[string]: {
        "plaintextDocument": {[string]: Buffer},
        "edek": string
    }},
    "failures": {[string]: TenantSecurityClientException},
    "hasSuccesses": boolean,
    "hasFailures": boolean,
}

class TenantSecurityClientException

All errors within the client library will be an instance of the TenantSecurityClientException. This custom exception exposes an error message as well as an error code that provides more information as to what error occurred. All error codes can be seen within the library source.

Changelog

The changelog can be viewed in the library repository.

Features

We Are For

Trust Center

Contact Us

Follow Us