16
我有一個將數據寫入DynamoDB的Lambda(NodeJS)函數。有些數據需要加密。我使用KMS加密和存儲進行加密。當我使用不同的Lambda函數從Dynamo中檢索並嘗試解密時,出現錯誤。如果我加密,然後解密,我可以做到這一點,但如果我從數據庫中讀取加密值,它不會解密。 我的加密/存儲代碼如下:使用Amazon KMS加密值,使用帶有Lambda的DynamoDB存儲/檢索(NodeJS)
console.log('Loading event');
var AWS = require('aws-sdk');
var keyId = "arn:aws:kms:us-east-1:5423542542:key/xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxx";
var tableName = "person";
var dynamoDBConfiguration = {
"region": "us-west-2"
};
AWS.config.update(dynamoDBConfiguration);
var dynamodb = new AWS.DynamoDB({apiVersion: '2012-08-10'});
var kms = new AWS.KMS({region: 'us-east-1'});
var newId = "1234-56789-101112-13141516";
var item = {};
exports.handler = function (event, context) {
console.log('ssn');
//encrypt it
var ssnParams = {
KeyId: keyId,
Plaintext: "123-45-6789"
};
kms.encrypt(ssnParams, function (err, data) {
if (err) {
console.log(err, err.stack);
}
else {
console.log(' ssn encrypted');
var enc_ssn = data.CiphertextBlob;
item["SSN"] = {"Value": {"B": enc_ssn}};
item["First_Name"] = {"Value": {"S": "Joe"}};
item["Last_Name"] = {"Value": {"S": "Blow"}};
dynamodb.updateItem({
"TableName": tableName,
"AttributeUpdates": item,
"ReturnValues": "ALL_NEW",
"Key": {
"id": {"S": newId}
}
}, function (err, data) {
if (err) {
context.done(err);
}
else {
console.log('great success: %j', data);
context.succeed("Person Successfully Inserted");
}
});
}
});
};
我的檢索/解密代碼如下:
console.log('Loading event');
var AWS = require('aws-sdk');
var dynamoDBConfiguration = {
"region": "us-west-2"
};
AWS.config.update(dynamoDBConfiguration);
var dynamodb = new AWS.DynamoDB({apiVersion: '2012-08-10'});
var keyId = "arn:aws:kms:us-east-1:5423542542:key/xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxx";
var tableName = "person";
var kms = new AWS.KMS({region: 'us-east-1'});
exports.handler = function (event, context) {
console.log(JSON.stringify(event, null, ' '));
var params = {};
var id = event.id;
console.log(id);
if (id && id !== '') {
params = {
"TableName": tableName,
KeyConditionExpression: "id = :id",
ExpressionAttributeValues: {
':id': {'S': id}
}
};
dynamodb.query(params, function (err, data) {
if (err) {
context.done(err);
}
else {
var person = data.Items[0];
console.log('query success');
console.log(person);
if (person.SSN) {
console.log('have ssn');
var b_ssn = person.SSN;
console.log(b_ssn);
person.SSNtext = "";
var encryptedParams = {
CiphertextBlob: Buffer(b_ssn, 'base64'),
};
kms.decrypt(encryptedParams, function (err, decrypteddata) {
if (err) {
console.log(err, err.stack);
//context.done(err);
}
else {
person.SSNtext = decrypteddata.Plaintext.toString();
console.log(decrypteddata.Plaintext.toString());
context.succeed(person);
}
});
}
}
});
}
else {
params = {
"TableName": tableName
};
dynamodb.scan(params, function (err, data) {
if (err) {
context.done(err);
}
else {
console.log('scan success');
context.succeed(data);
}
});
}
};
當我運行這段代碼,我得到以下錯誤:
START RequestId: 639590ac-cb95-11e5-91e4-d706c725f529 Version: $LATEST
2016-02-04T23:16:58.713Z 639590ac-cb95-11e5-91e4-d706c725f529 Loading event
2016-02-04T23:17:00.215Z 639590ac-cb95-11e5-91e4-d706c725f529 {
"id": "1234-56789-101112-13141516"
}
2016-02-04T23:17:00.215Z 639590ac-cb95-11e5-91e4-d706c725f529 1234-56789-101112-13141516
2016-02-04T23:17:00.954Z 639590ac-cb95-11e5-91e4-d706c725f529 query success
2016-02-04T23:17:00.954Z 639590ac-cb95-11e5-91e4-d706c725f529 { Last_Name: { S: 'Blow' },
id: { S: '1234-56789-101112-13141516' },
First_Name: { S: 'Joe' },
SSN: { B: <Buffer 0a 20 ec 00 75 21 f2 61 7d ba 2e 38 7e c6 fd 24 6d 32 b4 c2 b3 29 47 9e 9b 97 f2 a8 46 f2 d0 38 da 37 12 92 01 01 01 02 00 78 ec 00 75 21 f2 61 7d ba 2e ...> } }
2016-02-04T23:17:00.956Z 639590ac-cb95-11e5-91e4-d706c725f529 have ssn
2016-02-04T23:17:00.956Z 639590ac-cb95-11e5-91e4-d706c725f529 { B: <Buffer 0a 20 ec 00 75 21 f2 61 7d ba 2e 38 7e c6 fd 24 6d 32 b4 c2 b3 29 47 9e 9b 97 f2 a8 46 f2 d0 38 da 37 12 92 01 01 01 02 00 78 ec 00 75 21 f2 61 7d ba 2e ...> }
2016-02-04T23:17:01.573Z 639590ac-cb95-11e5-91e4-d706c725f529 { [InvalidCiphertextException: null]
message: null,
code: 'InvalidCiphertextException',
time: Thu Feb 04 2016 23:17:01 GMT+0000 (UTC),
我可以加密和解密加密值,但是當我存儲該值時,檢索它並嘗試解密它,則失敗。任何幫助將不勝感激。
您是否使用['Binary'](http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DataModel.html#DataModel。 DataTypes.Binary)數據類型來存儲加密的數據?根據文檔,您還需要以Base64格式對值進行編碼。 –
感謝您的回覆鮑里斯。你在哪裏看到這個文檔?是DynamoDB還是KMS文檔?我已經嘗試了二進制和字符串類型。 – scoDubblT
我發佈了上面的鏈接 - http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DataModel.html#DataModel.DataTypes.Binary,它表示「二進制類型屬性可以存儲任何二進制數據,例如壓縮數據,加密數據或圖像「...」客戶端應用程序必須以Base64格式編碼二進制值「 –