@lazyapps/encryption 0.0.0-init.0 → 0.2.0-branch-feature-encryption-20260306195113

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/LICENSE +15 -0
  2. package/encryption.js +4 -2
  3. package/envelopeEncryption.js +82 -31
  4. package/fieldEncryption.js +7 -4
  5. package/keystores/inmemory.js +4 -0
  6. package/keystores/mongo.js +33 -17
  7. package/keystores/vault.js +25 -9
  8. package/package.json +7 -7
  9. package/queryDecryptor.js +6 -1
  10. package/storageEncryption.js +1 -0
package/LICENSE ADDED
@@ -0,0 +1,15 @@
1
+ ISC License
2
+
3
+ Copyright (c) 2026, Oliver Sturm
4
+
5
+ Permission to use, copy, modify, and/or distribute this software for any
6
+ purpose with or without fee is hereby granted, provided that the above
7
+ copyright notice and this permission notice appear in all copies.
8
+
9
+ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
10
+ REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11
+ AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
12
+ INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13
+ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
14
+ OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15
+ PERFORMANCE OF THIS SOFTWARE.
package/encryption.js CHANGED
@@ -41,9 +41,10 @@ export const createEncryption = ({
41
41
 
42
42
  const shredIfForget = (evt) =>
43
43
  evt.type === 'SUBJECT_FORGOTTEN'
44
- ? cachedKs
44
+ ? (envelope.clearCachedDEKs(evt.payload.subjectId),
45
+ cachedKs
45
46
  .deleteKeysForSubject(evt.payload.subjectId)
46
- .then(() => evt)
47
+ .then(() => evt))
47
48
  : Promise.resolve(evt);
48
49
 
49
50
  return fieldEncryptor
@@ -130,6 +131,7 @@ export const createEncryption = ({
130
131
 
131
132
  forgetSubject: (subjectId) => {
132
133
  log.info(`Forgetting subject: ${subjectId}`);
134
+ envelope.clearCachedDEKs(subjectId);
133
135
  return cachedKs.deleteKeysForSubject(subjectId);
134
136
  },
135
137
 
package/envelopeEncryption.js CHANGED
@@ -1,35 +1,86 @@
1
1
  import { randomBytes } from 'node:crypto';
2
2
 
3
- export const createEnvelopeManager = (keyStore, contexts) => ({
4
- getDEK: (subjectId, contextName, version) =>
5
- keyStore.getDEK(subjectId, contextName, version).then((storedDEK) => {
6
- if (!storedDEK) {
7
- const newDEK = randomBytes(32);
8
- return keyStore
9
- .wrapDEK(contextName, newDEK)
10
- .then((wrappedKey) => ({
11
- key: newDEK,
12
- version: 1,
13
- wrappedKey,
14
- }))
15
- .then((dekInfo) =>
16
- keyStore
17
- .storeDEK(subjectId, contextName, dekInfo)
18
- .then(() => dekInfo),
19
- );
20
- }
3
+ export const createEnvelopeManager = (keyStore, contexts) => {
4
+ const dekCache = new Map();
5
+
6
+ const cacheKey = (subjectId, contextName) =>
7
+ `${subjectId}:${contextName}`;
8
+
9
+ const cacheDEK = (subjectId, contextName, dekInfo) => {
10
+ dekCache.set(cacheKey(subjectId, contextName), dekInfo);
11
+ return dekInfo;
12
+ };
13
+
14
+ return {
15
+ getDEK: (subjectId, contextName, version, wrappedKey) => {
16
+ const cached = dekCache.get(cacheKey(subjectId, contextName));
17
+ if (cached) return Promise.resolve(cached);
18
+
21
19
  return keyStore
22
- .unwrapDEK(contextName, storedDEK.wrappedKey)
23
- .then((plainDEK) => ({
24
- key: plainDEK,
25
- version: storedDEK.version,
26
- }));
27
- }),
20
+ .getDEK(subjectId, contextName, version)
21
+ .then((storedDEK) => {
22
+ if (storedDEK && storedDEK.forgotten) {
23
+ return Promise.reject(
24
+ Object.assign(
25
+ new Error(
26
+ `Keys for subject ${subjectId} have been forgotten`,
27
+ ),
28
+ { code: 'SUBJECT_FORGOTTEN' },
29
+ ),
30
+ );
31
+ }
32
+ if (!storedDEK) {
33
+ if (wrappedKey) {
34
+ return keyStore
35
+ .unwrapDEK(contextName, wrappedKey)
36
+ .then((plainDEK) => ({
37
+ key: plainDEK,
38
+ version: version || 1,
39
+ wrappedKey,
40
+ }))
41
+ .then((dekInfo) =>
42
+ keyStore
43
+ .storeDEK(subjectId, contextName, dekInfo)
44
+ .then(() => cacheDEK(subjectId, contextName, dekInfo)),
45
+ );
46
+ }
47
+ const newDEK = randomBytes(32);
48
+ return keyStore
49
+ .wrapDEK(contextName, newDEK)
50
+ .then((wrappedKey) => ({
51
+ key: newDEK,
52
+ version: 1,
53
+ wrappedKey,
54
+ }))
55
+ .then((dekInfo) =>
56
+ keyStore
57
+ .storeDEK(subjectId, contextName, dekInfo)
58
+ .then(() => cacheDEK(subjectId, contextName, dekInfo)),
59
+ );
60
+ }
61
+ return keyStore
62
+ .unwrapDEK(contextName, storedDEK.wrappedKey)
63
+ .then((plainDEK) =>
64
+ cacheDEK(subjectId, contextName, {
65
+ key: plainDEK,
66
+ version: storedDEK.version,
67
+ wrappedKey: storedDEK.wrappedKey,
68
+ }),
69
+ );
70
+ });
71
+ },
72
+
73
+ clearCachedDEKs: (subjectId) => {
74
+ for (const key of dekCache.keys()) {
75
+ if (key.startsWith(`${subjectId}:`)) dekCache.delete(key);
76
+ }
77
+ },
28
78
 
29
- rotateKEK: (contextName) =>
30
- keyStore.rotateKEK
31
- ? keyStore.rotateKEK(contextName)
32
- : Promise.reject(
33
- new Error('KEK rotation not supported by this key store tier'),
34
- ),
35
- });
79
+ rotateKEK: (contextName) =>
80
+ keyStore.rotateKEK
81
+ ? keyStore.rotateKEK(contextName)
82
+ : Promise.reject(
83
+ new Error('KEK rotation not supported by this key store tier'),
84
+ ),
85
+ };
86
+ };
package/fieldEncryption.js CHANGED
@@ -56,6 +56,7 @@ export const createFieldEncryptor = (envelope, schema) => ({
56
56
  ctx: fieldConfig.context,
57
57
  kid: subjectId,
58
58
  kv: dek.version,
59
+ wk: dek.wrappedKey,
59
60
  };
60
61
  return setNestedValue(evt, fieldPath, encryptedField);
61
62
  });
@@ -86,10 +87,12 @@ export const createFieldEncryptor = (envelope, schema) => ({
86
87
  }
87
88
  }
88
89
 
89
- return envelope.getDEK(value.kid, value.ctx, value.kv).then((dek) => {
90
- const plaintext = decryptValue(dek.key, value);
91
- return setNestedValue(evt, fieldPath, plaintext);
92
- });
90
+ return envelope
91
+ .getDEK(value.kid, value.ctx, value.kv, value.wk)
92
+ .then((dek) => {
93
+ const plaintext = decryptValue(dek.key, value);
94
+ return setNestedValue(evt, fieldPath, plaintext);
95
+ });
93
96
  }),
94
97
  Promise.resolve(decrypted),
95
98
  );
package/keystores/inmemory.js CHANGED
@@ -12,6 +12,7 @@ export const inMemoryKeyStore = (initialKEKs = {}) => ({
12
12
  ]),
13
13
  );
14
14
  const deks = new Map();
15
+ const forgotten = new Set();
15
16
 
16
17
  const wrapLocal = (kek, plainDEK) => {
17
18
  const iv = randomBytes(IV_LENGTH);
@@ -61,6 +62,8 @@ export const inMemoryKeyStore = (initialKEKs = {}) => ({
61
62
  ),
62
63
 
63
64
  getDEK: (subjectId, contextName) => {
65
+ if (forgotten.has(subjectId))
66
+ return Promise.resolve({ forgotten: true });
64
67
  const key = `${subjectId}:${contextName}`;
65
68
  return Promise.resolve(deks.get(key) || null);
66
69
  },
@@ -84,6 +87,7 @@ export const inMemoryKeyStore = (initialKEKs = {}) => ({
84
87
  for (const key of deks.keys()) {
85
88
  if (key.startsWith(`${subjectId}:`)) deks.delete(key);
86
89
  }
90
+ forgotten.add(subjectId);
87
91
  return Promise.resolve();
88
92
  },
89
93
 
package/keystores/mongo.js CHANGED
@@ -53,6 +53,8 @@ export const mongoKeyStore = ({
53
53
  ? rootSecret
54
54
  : Buffer.from(rootSecret, 'base64');
55
55
 
56
+ const forgottenCollection = `${dekCollection}-forgotten`;
57
+
56
58
  return MongoClient.connect(url).then((client) => {
57
59
  const db = client.db(database);
58
60
  log.info(`Key store connected to ${database}`);
@@ -65,21 +67,30 @@ export const mongoKeyStore = ({
65
67
  unwrapLocal(deriveKEK(secret, contextName), wrappedDEK),
66
68
  ),
67
69
 
68
- getDEK: (subjectId, contextName, version) => {
69
- const filter = { subjectId, context: contextName };
70
- if (version) filter.version = version;
71
- return db
72
- .collection(dekCollection)
73
- .findOne(filter, { sort: { version: -1 } })
74
- .then((doc) =>
75
- doc
76
- ? {
77
- wrappedKey: { iv: doc.iv, data: doc.data, tag: doc.tag },
78
- version: doc.version,
79
- }
80
- : null,
81
- );
82
- },
70
+ getDEK: (subjectId, contextName, version) =>
71
+ db
72
+ .collection(forgottenCollection)
73
+ .findOne({ subjectId })
74
+ .then((forgotten) => {
75
+ if (forgotten) return { forgotten: true };
76
+ const filter = { subjectId, context: contextName };
77
+ if (version) filter.version = version;
78
+ return db
79
+ .collection(dekCollection)
80
+ .findOne(filter, { sort: { version: -1 } })
81
+ .then((doc) =>
82
+ doc
83
+ ? {
84
+ wrappedKey: {
85
+ iv: doc.iv,
86
+ data: doc.data,
87
+ tag: doc.tag,
88
+ },
89
+ version: doc.version,
90
+ }
91
+ : null,
92
+ );
93
+ }),
83
94
 
84
95
  storeDEK: (subjectId, contextName, dekInfo) =>
85
96
  db.collection(dekCollection).insertOne({
@@ -109,8 +120,13 @@ export const mongoKeyStore = ({
109
120
  const ksLog = getLogger('Encryption/KS', 'ADMIN');
110
121
  ksLog.info(`Deleting all keys for subject: ${subjectId}`);
111
122
  return db
112
- .collection(dekCollection)
113
- .deleteMany({ subjectId })
123
+ .collection(forgottenCollection)
124
+ .updateOne(
125
+ { subjectId },
126
+ { $set: { subjectId, deletedAt: Date.now() } },
127
+ { upsert: true },
128
+ )
129
+ .then(() => db.collection(dekCollection).deleteMany({ subjectId }))
114
130
  .then((result) => {
115
131
  ksLog.info(
116
132
  `Deleted ${result.deletedCount} keys for ${subjectId}`,
package/keystores/vault.js CHANGED
@@ -31,8 +31,10 @@ const authenticateAppRole = (vaultUrl, roleId, secretId) =>
31
31
 
32
32
  const initDekInMemory = () => {
33
33
  const deks = new Map();
34
+ const forgotten = new Set();
34
35
  return Promise.resolve({
35
36
  getDEK: (subjectId, contextName) => {
37
+ if (forgotten.has(subjectId)) return Promise.resolve({ forgotten: true });
36
38
  const key = `${subjectId}:${contextName}`;
37
39
  return Promise.resolve(deks.get(key) || null);
38
40
  },
@@ -53,6 +55,7 @@ const initDekInMemory = () => {
53
55
  for (const key of deks.keys()) {
54
56
  if (key.startsWith(`${subjectId}:`)) deks.delete(key);
55
57
  }
58
+ forgotten.add(subjectId);
56
59
  return Promise.resolve();
57
60
  },
58
61
  close: () => Promise.resolve(),
@@ -64,16 +67,22 @@ const initDekMongo = ({ url, database, collection }) =>
64
67
  MongoClient.connect(url).then((client) => {
65
68
  const db = client.db(database);
66
69
  const coll = db.collection(collection);
70
+ const forgottenColl = db.collection(`${collection}-forgotten`);
67
71
  return {
68
72
  getDEK: (subjectId, contextName) =>
69
- coll
70
- .findOne(
71
- { subjectId, context: contextName },
72
- { sort: { version: -1 } },
73
- )
74
- .then((doc) =>
75
- doc ? { wrappedKey: doc.wrappedKey, version: doc.version } : null,
76
- ),
73
+ forgottenColl.findOne({ subjectId }).then((forgotten) => {
74
+ if (forgotten) return { forgotten: true };
75
+ return coll
76
+ .findOne(
77
+ { subjectId, context: contextName },
78
+ { sort: { version: -1 } },
79
+ )
80
+ .then((doc) =>
81
+ doc
82
+ ? { wrappedKey: doc.wrappedKey, version: doc.version }
83
+ : null,
84
+ );
85
+ }),
77
86
  storeDEK: (subjectId, contextName, dekInfo) =>
78
87
  coll.insertOne({
79
88
  subjectId,
@@ -94,7 +103,14 @@ const initDekMongo = ({ url, database, collection }) =>
94
103
  })),
95
104
  ),
96
105
  deleteKeysForSubject: (subjectId) =>
97
- coll.deleteMany({ subjectId }).then(() => {}),
106
+ forgottenColl
107
+ .updateOne(
108
+ { subjectId },
109
+ { $set: { subjectId, deletedAt: Date.now() } },
110
+ { upsert: true },
111
+ )
112
+ .then(() => coll.deleteMany({ subjectId }))
113
+ .then(() => {}),
98
114
  close: () => client.close(),
99
115
  };
100
116
  }),
package/package.json CHANGED
@@ -1,15 +1,12 @@
1
1
  {
2
2
  "name": "@lazyapps/encryption",
3
- "version": "0.0.0-init.0",
3
+ "version": "0.2.0-branch-feature-encryption-20260306195113",
4
4
  "description": "Field-level PII encryption with crypto-shredding for LazyApps event-sourcing",
5
5
  "main": "index.js",
6
6
  "files": [
7
7
  "*.js",
8
8
  "keystores/"
9
9
  ],
10
- "scripts": {
11
- "test": "vitest"
12
- },
13
10
  "keywords": [
14
11
  "event-sourcing",
15
12
  "cqrs",
@@ -34,7 +31,7 @@
34
31
  "node": ">=18.20.3 || >=20.18.0"
35
32
  },
36
33
  "dependencies": {
37
- "@lazyapps/logger": "workspace:^"
34
+ "@lazyapps/logger": "^0.2.0"
38
35
  },
39
36
  "peerDependencies": {
40
37
  "mongodb": "^6.0.0"
@@ -48,5 +45,8 @@
48
45
  "eslint": "^8.46.0",
49
46
  "vitest": "^4.0.18"
50
47
  },
51
- "type": "module"
52
- }
48
+ "type": "module",
49
+ "scripts": {
50
+ "test": "vitest"
51
+ }
52
+ }
package/queryDecryptor.js CHANGED
@@ -38,7 +38,12 @@ export const createQueryDecryptor = (
38
38
  }
39
39
 
40
40
  return envelope
41
- .getDEK(fieldValue.kid, fieldValue.ctx, fieldValue.kv)
41
+ .getDEK(
42
+ fieldValue.kid,
43
+ fieldValue.ctx,
44
+ fieldValue.kv,
45
+ fieldValue.wk,
46
+ )
42
47
  .then((dek) => ({
43
48
  ...d,
44
49
  [fieldName]: decryptValue(dek.key, fieldValue),
package/storageEncryption.js CHANGED
@@ -29,6 +29,7 @@ export const createStorageEncryptor = (
29
29
  ctx: fieldConfig.context,
30
30
  kid: subjectId,
31
31
  kv: dek.version,
32
+ wk: dek.wrappedKey,
32
33
  },
33
34
  }));
34
35
  }),