jstink 1.1.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +20 -4
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -33,7 +33,10 @@ Make a note of the key ARN as you'll need it later.
33
33
 
34
34
  5. Create a new Tinkey key, envelope encrypted with your newly created AWS KMS key:
35
35
  ```
36
- tinkey create-keyset --key-template AES256_GCM --out keyset.json --master-key-uri aws-kms://${MASTER_KEY_ARN}
36
+ tinkey create-keyset \
37
+ --key-template AES256_GCM \
38
+ --out keyset.json \
39
+ --master-key-uri aws-kms://${MASTER_KEY_ARN}
37
40
  ```
38
41
  Because this key is envelope encrypted with the AWS KMS key you can store it with the data or with the application.
39
42
 
@@ -52,17 +55,30 @@ const plaintext = await aead.decrypt(ciphertext, 'associatedData');
52
55
  7. At some point, as determined by your cryptoperiod, you'll want to rotate your keys. Tinkey makes this nice and easy. First, create a new key:
53
56
 
54
57
  ```
55
- tinkey add-key --key-template AES256_GCM --in keyset.json --out keysetv2.json --master-key-uri aws-kms://${MASTER_KEY_ARN}
58
+ tinkey add-key \
59
+ --key-template AES256_GCM \
60
+ --in keyset.json \
61
+ --out keysetv2.json \
62
+ --master-key-uri aws-kms://${MASTER_KEY_ARN}
56
63
  ```
57
64
 
58
65
  Once you've deployed this keyset, you can make it the default for encryption:
59
66
 
60
67
  ```
61
- tinkey promote-key --key-id <new-key-id> --key-template AES256_GCM --in keysetv2.json --out keysetv3.json --master-key-uri aws-kms://${MASTER_KEY_ARN}
68
+ tinkey promote-key \
69
+ --key-id <new-key-id> \
70
+ --key-template AES256_GCM \
71
+ --in keysetv2.json \
72
+ --out keysetv3.json \
73
+ --master-key-uri aws-kms://${MASTER_KEY_ARN}
62
74
  ```
63
75
 
64
76
  Decrypt operations will still use the key that was used for encryption (the encryption key ID is stored as part of the Tink wire format). To completely remove the old key (e.g. in the event of a compromise) you'll need to run a process to re-encrypt all data encrypted with the old key, then you can delete the old key:
65
77
 
66
78
  ```
67
- tinkey delete-key --key-template AES256_GCM --in keysetv3.json --out keysetv4.json --master-key-uri aws-kms://${MASTER_KEY_ARN}
79
+ tinkey delete-key \
80
+ --key-template AES256_GCM \
81
+ --in keysetv3.json \
82
+ --out keysetv4.json \
83
+ --master-key-uri aws-kms://${MASTER_KEY_ARN}
68
84
  ```
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "jstink",
3
- "version": "1.1.0",
3
+ "version": "1.1.1",
4
4
  "description": "",
5
5
  "main": "src/index.js",
6
6
  "scripts": {