Download the PHP package paragonie/ciphersweet-provider-aws-kms without Composer
On this page you can find all versions of the php package paragonie/ciphersweet-provider-aws-kms. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download paragonie/ciphersweet-provider-aws-kms
More information about paragonie/ciphersweet-provider-aws-kms
Files in paragonie/ciphersweet-provider-aws-kms
Package ciphersweet-provider-aws-kms
Short Description CipherSweet key provider backed by AWS KMS
License ISC
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package ciphersweet-provider-aws-kms
AWS KMS KeyProvider for CipherSweet (PHP)
This repository exists to provide a distinct Composer package useful for integrating CipherSweet with AWS KMS.
Installing
Usage
KmsKeyProvider
The basic KmsKeyProvider class is intended to work with a single Encrypted Data Key (EDK).
If you're looking to provide multi-tenancy (e.g., one data key per user), look instead at
MultiTenantKmsKeyProvider.
First, you'll need a KmsClient
object, a desired CipherSweet backend, and
the Key ID or ARN for the KMS key you want to use.
Once you have these value defined, you will first want to generate a new data key and persist the Encrypted Data Key to be reused, like so:
From now on, you can simply load your backend as follows:
See also: caching
MultiTenantKmsKeyProvider
The purpose of the provided MultiTenantKmsKeyProvider class is to facilitate workloads where
multiple users have their data encrypted with different EDKs. This can safely be used with the
same KMS Key or with different KMS Keys. Whatever makes the most sense for your application.
The basic idea behind our design is that some metadata about tenants is stored in a column (which has a value populated for each row):
Somewhere else in your application, you will need a mapping of tenant IDs to EDKs. This MAY be a separate SQL table. We have provided some convenience utilities to make integration easier, but you're free to decide your own mapping and persistence strategy.
To that end, our multi-tenant key provider allows you to provide a class that implements
TenantEDKInterface to fetch EDKs and other metadata, as well as create tenants. You are
free to implement this however you wish. See, for example, our EasyDB test class.
To create a new tenant (and a new EDK), simply pass the new tenant's ID, the KMS Key ID or ARN, and Encryption Context to use for encrypting this key.
With this little bit of additional glue code on your end, you're all set.
And then you can just use CipherSweet as usual.
Caching
Network round-trips to AWS KMS can be a performance bottleneck for your application, especially if you're running it outside of AWS.
Applications MAY provide a PSR-16 compatible cache to persist plaintext data keys across requests.
All versions of ciphersweet-provider-aws-kms with dependencies
aws/aws-sdk-php Version ^3
paragonie/certainty Version ^2.9
paragonie/ciphersweet Version ^4.7
psr/simple-cache Version ^3